Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser being redirected to other sites


  • This topic is locked This topic is locked
10 replies to this topic

#1 boatman_jack

boatman_jack

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 14 January 2010 - 04:06 PM

When browsing 5 of 6 times you are redirected to random shopping or search sites. This computer was riddled with trojans/viruses that were cleared by MalwareBytes, but this redirection condition remains. Thanks in advance for your help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Dennis Kalmes at 14:20:40.56 on Thu 01/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1320 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dennis Kalmes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://frontier.my.yahoo.com
uSearch Page =
uSearch Bar =
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant =
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
{b753c7c5-0942-4b7f-bc27-942b52bdac66}
BHO: {c3bd4a4c-d9d0-4cc7-af4e-a5336d2559d0} - woheluba.dll
BHO: XBTBPos00 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\my.freeze.com toolbar\freeze_us.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - {B753C7C5-0942-4b7f-BC27-942B52BDAC66}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185213374828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4876/mcfscan.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: bihohanuh - {e27db809-be34-444d-bfe4-3931b9c5dea6} - No File
SSODL: tafabasib - {99cad436-977f-4b27-86cd-1ac60cef081e} - No File
SSODL: zipufihaf - {d7c91522-73c1-4f9b-91e5-cd77c60c773b} - No File
SSODL: SysNet - {F8B38F64-FB66-453A-B600-222A4057E209} - No File
SSODL: huvepidut - {36b3edd3-beba-47f2-badf-1cacb2134429} - No File
STS: {e27db809-be34-444d-bfe4-3931b9c5dea6}: gahurihor
STS: {99cad436-977f-4b27-86cd-1ac60cef081e}: tokatiluy
STS: {d7c91522-73c1-4f9b-91e5-cd77c60c773b}: gahurihor
STS: {36b3edd3-beba-47f2-badf-1cacb2134429}: kupuhivus
SEH: ExecuteMonitorShellHook Class: {42dd0873-5fa9-465d-90de-0826020416a5} - c:\program files\stopsign\onaccess\onaccess_hk32.dll
LSA: Notification Packages = scecli natowoso.dll suhamose.dll vapudabi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dennis~1\applic~1\mozilla\firefox\profiles\j74wq1ue.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://frontier.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUman000&fl=0&ptb=_pj3VFBPr7v4p.67476CVw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2006-12-23 109536]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-12 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-12 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-12 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-12 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-12 40552]
S2 eac_notifysvc;eAcceleration Notification Service;"c:\program files\eacceleration\framework\eac_svc.exe" --> c:\program files\eacceleration\framework\eac_svc.exe [?]
S2 eac_productsvc;eAcceleration Product Manager Service;"c:\program files\eacceleration\framework\eac_productsvc.exe" --> c:\program files\eacceleration\framework\eac_productsvc.exe [?]
S2 mrtRate;mrtRate; [x]
S3 ALABULKO;OLYMPUS USB Media Adapter device driver;c:\windows\system32\drivers\ALABLK2O.SYS [2002-8-31 33392]
S3 FWService;FWService;c:\program files\stopsign\firewall\fwservice.exe -service --> c:\program files\stopsign\firewall\FWService.exe -Service [?]
S4 ssfwmonsvc;StopSign Firewall Security Center Provider;"c:\program files\eacceleration\framework\eac_svc.exe" --> c:\program files\eacceleration\framework\eac_svc.exe [?]
S4 sstsmonsvc;StopSign Antivirus Security Center Provider;"c:\program files\eacceleration\framework\eac_svc.exe" --> c:\program files\eacceleration\framework\eac_svc.exe [?]

=============== Created Last 30 ================

2010-01-14 18:48:52 0 dc----w- c:\program files\Trend Micro
2010-01-11 16:48:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-11 16:48:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-11 16:48:03 0 dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 00:49:22 6435 ----a-w- c:\windows\system32\WORK.DAT

==================== Find3M ====================

2010-01-10 21:50:23 42742 -c--a-w- c:\docume~1\dennis~1\applic~1\wklnhst.dat
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-11-10 00:33:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-29 23:20:16 554 -c-ha-w- C:\aaw7boot.cmd
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

============= FINISH: 14:23:11.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 AM

Posted 20 January 2010 - 04:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 boatman_jack

boatman_jack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 20 January 2010 - 05:04 PM

Hello. I have made no changes since my original post. Here are the requested files.

OTL logfile created on: 1/20/2010 3:51:50 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Dennis Kalmes\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.28 Gb Total Space | 50.22 Gb Free Space | 71.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DCM2R071
Current User Name: Dennis Kalmes
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/20 15:50:46 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dennis Kalmes\Desktop\OTL.exe
PRC - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/09/17 14:29:04 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/09/16 10:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe
PRC - [2004/12/06 01:05:00 | 00,127,035 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe


========== Modules (SafeList) ==========

MOD - [2010/01/20 15:50:46 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dennis Kalmes\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (sstsmonsvc)
SRV - File not found [Disabled | Stopped] -- -- (ssfwmonsvc)
SRV - File not found [On_Demand | Stopped] -- -- (FWService)
SRV - File not found [Auto | Stopped] -- -- (eac_productsvc)
SRV - File not found [Auto | Stopped] -- -- (eac_notifysvc)
SRV - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/09/17 14:29:04 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/09/16 11:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 20:22:22 | 00,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/03/07 14:47:46 | 00,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2003/12/17 13:59:48 | 00,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/09/16 10:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys -- (mferkdk)
DRV - [2009/08/05 12:41:47 | 00,109,536 | ---- | M] (eAcceleration Corp) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\fwcore.sys -- (fwcore)
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys -- (MPFP)
DRV - [2009/04/28 14:20:06 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 12:40:30 | 00,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - [2007/02/25 11:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 15:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/09/20 10:00:54 | 01,302,332 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmnt5.sys -- (ialm)
DRV - [2005/03/21 09:33:03 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\asctrm.sys -- (ASCTRM)
DRV - [2005/03/07 22:52:28 | 00,021,744 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZius12.sys -- (HPZius12)
DRV - [2005/03/07 22:52:27 | 00,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys -- (HPZipr12)
DRV - [2005/03/07 22:52:26 | 00,051,120 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys -- (HPZid412)
DRV - [2004/12/06 01:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 00,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 00,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)
DRV - [2004/10/29 14:14:44 | 00,260,096 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\smwdm.sys -- (smwdm)
DRV - [2004/09/17 10:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink)
DRV - [2004/08/03 22:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS -- (nv)
DRV - [2004/07/14 11:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)
DRV - [2004/06/15 22:52:40 | 00,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2004/03/05 22:15:34 | 00,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 22:14:42 | 01,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 22:13:38 | 00,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2004/02/10 15:49:14 | 00,154,112 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\e100b325.sys -- (E100B) Intel®
DRV - [2002/08/31 18:00:00 | 00,033,392 | ---- | M] (OLYMPUS OPTICAL Co.,Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ALABLK2O.SYS -- (ALABULKO)
DRV - [2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-545598731-104329808-548279382-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-545598731-104329808-548279382-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://frontier.my.yahoo.com
IE - HKU\S-1-5-21-545598731-104329808-548279382-1007\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-545598731-104329808-548279382-1007\S-1-5-21-545598731-104329808-548279382-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "MyWebSearch"
FF - prefs.js..browser.startup.homepage: "http://frontier.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {52EF0988-5232-4465-86E7-6434B5891030}:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUman000&fl=0&ptb=_pj3VFBPr7v4p.67476CVw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/25 06:31:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/22 20:45:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/22 20:45:08 | 00,000,000 | ---D | M]

[2009/09/26 13:33:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dennis Kalmes\Application Data\Mozilla\Extensions
[2010/01/14 13:01:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dennis Kalmes\Application Data\Mozilla\Firefox\Profiles\j74wq1ue.default\extensions
[2009/09/27 05:16:33 | 00,009,941 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\Application Data\Mozilla\Firefox\Profiles\j74wq1ue.default\searchplugins\mywebsearch.xml
[2010/01/14 13:01:13 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/29 09:05:57 | 00,000,000 | ---D | M] (Kwinzy) -- C:\Program Files\Mozilla Firefox\extensions\{52EF0988-5232-4465-86E7-6434B5891030}
[2009/09/26 13:25:15 | 00,002,381 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\kwinzy139.xml
[2009/10/01 11:25:46 | 00,002,381 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\kwinzy141.xml
[2009/10/15 17:57:25 | 00,002,381 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\kwinzy143.xml
[2009/10/29 09:05:57 | 00,002,381 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\kwinzy149.xml

O1 HOSTS File: ([2008/12/08 13:59:53 | 00,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - No CLSID value found.
O2 - BHO: (no name) - {c3bd4a4c-d9d0-4cc7-af4e-a5336d2559d0} - File not found
O2 - BHO: (XBTBPos00 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\My.Freeze.com Toolbar\freeze_us.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-545598731-104329808-548279382-1007\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-545598731-104329808-548279382-1007\..\Toolbar\WebBrowser: (no name) - {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No CLSID value found.
O3 - HKU\S-1-5-21-545598731-104329808-548279382-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [dla] C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-545598731-104329808-548279382-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - Reg Error: Key error. File not found
O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
O12 - Plugin for: .wav - C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll (Apple Computer, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-545598731-104329808-548279382-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-545598731-104329808-548279382-1007\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-545598731-104329808-548279382-1007\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1185213374828 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...876/mcfscan.cab (McFreeScan Class)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.130 68.87.72.130 68.87.75.194
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: bihohanuh - {e27db809-be34-444d-bfe4-3931b9c5dea6} - CLSID or File not found.
O21 - SSODL: huvepidut - {36b3edd3-beba-47f2-badf-1cacb2134429} - CLSID or File not found.
O21 - SSODL: SysNet - {F8B38F64-FB66-453A-B600-222A4057E209} - CLSID or File not found.
O21 - SSODL: tafabasib - {99cad436-977f-4b27-86cd-1ac60cef081e} - CLSID or File not found.
O21 - SSODL: zipufihaf - {d7c91522-73c1-4f9b-91e5-cd77c60c773b} - CLSID or File not found.
O22 - SharedTaskScheduler: {36b3edd3-beba-47f2-badf-1cacb2134429} - kupuhivus - Reg Error: Key error. File not found
O22 - SharedTaskScheduler: {99cad436-977f-4b27-86cd-1ac60cef081e} - tokatiluy - Reg Error: Key error. File not found
O22 - SharedTaskScheduler: {d7c91522-73c1-4f9b-91e5-cd77c60c773b} - gahurihor - Reg Error: Key error. File not found
O22 - SharedTaskScheduler: {e27db809-be34-444d-bfe4-3931b9c5dea6} - gahurihor - Reg Error: Key error. File not found
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/DENNIS~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {42DD0873-5FA9-465D-90DE-0826020416A5} - C:\Program Files\StopSign\OnAccess\onaccess_hk32.dll File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{93fe6beb-bc1b-11db-a469-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{93fe6beb-bc1b-11db-a469-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{93fe6beb-bc1b-11db-a469-00038a000015}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f721a014-ee66-11db-a4bc-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{f721a014-ee66-11db-a4bc-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f721a014-ee66-11db-a4bc-00038a000015}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/20 15:50:34 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dennis Kalmes\Desktop\OTL.exe
[2010/01/14 14:30:25 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Dennis Kalmes\Desktop\RootRepeal.exe
[2010/01/14 12:48:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/14 12:48:12 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Dennis Kalmes\Desktop\HJTInstall.exe
[2010/01/14 12:29:36 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Dennis Kalmes\Recent
[2010/01/11 15:33:28 | 00,167,936 | ---- | C] (Soeperman Enterprises Ltd.) -- C:\Documents and Settings\Dennis Kalmes\Desktop\StartupList.exe
[2010/01/11 10:48:05 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/11 10:48:04 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/11 10:48:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/18 17:36:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/11/06 13:47:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2008/08/20 04:00:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/09/04 14:19:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2007/09/04 13:26:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\eAcceleration
[2007/07/11 07:00:31 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/10/14 11:51:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2006/06/20 13:47:54 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Application Data\GTek
[2005/04/11 13:19:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/04/04 17:54:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2005/03/24 15:41:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2005/03/21 08:44:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/20 15:50:46 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dennis Kalmes\Desktop\OTL.exe
[2010/01/20 15:43:03 | 00,025,767 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/20 15:43:00 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/01/20 15:42:09 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/20 15:42:03 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/01/15 11:30:44 | 05,242,880 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\ntuser.dat
[2010/01/15 11:30:44 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Dennis Kalmes\NTUSER.INI
[2010/01/15 11:10:05 | 00,000,310 | ---- | M] () -- C:\WINDOWS\tasks\phtksqmj.job
[2010/01/15 11:10:05 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\eyvkpcwn.job
[2010/01/14 16:16:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/14 14:32:12 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\settings.dat
[2010/01/14 14:30:35 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Dennis Kalmes\Desktop\RootRepeal.exe
[2010/01/14 14:20:02 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\dds.scr
[2010/01/14 12:48:52 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\HijackThis.lnk
[2010/01/14 12:48:16 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Dennis Kalmes\Desktop\HJTInstall.exe
[2010/01/14 10:09:05 | 00,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/14 10:09:05 | 00,442,466 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/01/14 10:09:05 | 00,071,732 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/01/14 10:07:03 | 00,273,376 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/12 14:40:52 | 00,000,638 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/01/12 14:40:52 | 00,000,227 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2010/01/12 14:40:52 | 00,000,211 | RHS- | M] () -- C:\BOOT.INI
[2010/01/11 15:26:38 | 00,167,936 | ---- | M] (Soeperman Enterprises Ltd.) -- C:\Documents and Settings\Dennis Kalmes\Desktop\StartupList.exe
[2010/01/11 10:48:09 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/10 15:50:23 | 00,042,742 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\Application Data\wklnhst.dat
[2010/01/10 15:33:25 | 00,002,483 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\Microsoft Word.lnk
[2010/01/10 06:17:59 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\jowameda
[2010/01/07 18:40:25 | 01,784,056 | ---- | M] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\018.JPG
[2010/01/07 17:59:43 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/05 18:49:22 | 00,006,435 | ---- | M] () -- C:\WINDOWS\System32\WORK.DAT
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/14 14:32:12 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\settings.dat
[2010/01/14 14:19:48 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\dds.scr
[2010/01/14 12:48:52 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\HijackThis.lnk
[2010/01/11 10:48:09 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/08 21:01:39 | 00,000,296 | ---- | C] () -- C:\WINDOWS\tasks\eyvkpcwn.job
[2010/01/07 18:40:25 | 01,784,056 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Desktop\018.JPG
[2010/01/07 17:59:43 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/05 18:49:22 | 00,006,435 | ---- | C] () -- C:\WINDOWS\System32\WORK.DAT
[2009/11/12 12:43:30 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Local Settings\Application Data\fusioncache.dat
[2009/10/22 16:29:14 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Local Settings\Application Data\housecall.guid.cache
[2007/09/13 20:35:25 | 00,000,243 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2006/11/06 17:58:11 | 00,000,083 | ---- | C] () -- C:\WINDOWS\gbsaver.ini
[2006/04/30 21:25:17 | 00,005,443 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/04/30 21:25:17 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/04/06 04:49:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2006/03/31 22:32:17 | 00,002,193 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Application Data\HPSU_48BitScanUpdate.log
[2006/03/31 22:32:17 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/03/31 22:30:50 | 00,080,136 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Application Data\Update_HP_RedboxHprblog_HPSU.log
[2006/03/31 22:30:50 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/03/30 18:15:50 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/03/30 18:10:53 | 00,004,329 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/10/28 13:30:09 | 00,008,192 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/04/04 20:42:05 | 00,000,240 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2005/04/04 20:28:30 | 00,001,231 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2005/04/04 20:28:30 | 00,000,533 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2005/03/25 20:33:44 | 00,042,742 | ---- | C] () -- C:\Documents and Settings\Dennis Kalmes\Application Data\wklnhst.dat
[2005/03/24 16:56:29 | 00,000,045 | ---- | C] () -- C:\WINDOWS\EPSC82.ini
[2005/03/21 09:37:44 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/03/21 09:35:56 | 00,000,318 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/03/21 09:22:32 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/03/21 08:46:18 | 00,000,370 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/09/15 22:03:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:13:12 | 00,000,882 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/04 05:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2001/07/06 15:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1980/01/01 00:00:00 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[1980/01/01 00:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C46995DA
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B623B5B8
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


#############


OTL Extras logfile created on: 1/20/2010 3:51:50 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Dennis Kalmes\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.28 Gb Total Space | 50.22 Gb Free Space | 71.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DCM2R071
Current User Name: Dennis Kalmes
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-545598731-104329808-548279382-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\IncrediMail\bin\ImpCnt.exe" = C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\WINDOWS\SYSTEM32\FREECELL.EXE" = C:\WINDOWS\SYSTEM32\FREECELL.EXE:*:Enabled:FREECELL -- (Microsoft Corporation)
"C:\WINDOWS\SYSTEM32\wscntfy.exe" = C:\WINDOWS\SYSTEM32\wscntfy.exe:*:Enabled:wscntfy -- (Microsoft Corporation)
"C:\Program Files\eAcceleration\Framework\eac_productsvc.exe" = C:\Program Files\eAcceleration\Framework\eac_productsvc.exe:*:Enabled:eac_productsvc -- File not found
"C:\Program Files\eAcceleration\Framework\eac_svc.exe" = C:\Program Files\eAcceleration\Framework\eac_svc.exe:*:Enabled:eac_svc -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\WINDOWS\SYSTEM32\HPZipm12.exe" = C:\WINDOWS\SYSTEM32\HPZipm12.exe:*:Enabled:HPZipm12 -- (HP)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{0594472B-42DC-4E29-A161-2CCC011AE7DE}" = TurboTax 2008 wmniper
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3D2778B5-AEB9-483C-AA7C-4857CA048C4A}" = Intellisync® for MSN
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3E386744-10FA-44b2-98C9-DF7A270DECB3}" = HP PSC & OfficeJet 5.3.A
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4CD67A02-DF59-43f7-8E8F-86DCF40543EF}" = 2570_Help
"{50E7BB78-02B4-469a-9D8B-B2F42835F90E}" = ProductContextNPI
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{567C23E1-7580-4185-B8C2-30805677297C}" = NewCopy_CDA
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{8704D51E-25B7-4F23-81E7-AA4F54790210}" = Microsoft Streets and Trips 2004
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{901D1286-529B-48A9-8DDD-4A60CF9E9BF1}" = H&R Block Tax Offer
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{9455959E-D588-EFAE-329C-F66CC797F32A}" = Adobe Media Player
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9DFC9A77-86B4-4139-A4CF-A5E774422D28}" = OLYMPUS USB Reader/Writer
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7DEBAA4-B211-4D1A-A6B3-E52BFAAA1D0C}" = Garmin Communicator Plugin
"{A8D91906-4032-4443-8C49-69F90E38F39D}" = 2570
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B276997E-4367-4b1b-A39C-4CAE7464337A}" = AiO_Scan_CDA
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{B60E7826-F117-4d26-8165-D2DC5A494AB0}" = Fax_CDA
"{B64E3AFC-59EF-4f18-BF11-E751462450D3}" = AiOSoftwareNPI
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1E1CA9C-A557-4DCA-90CB-203BCDDC78C3}" = Quicken 2003 Basic
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C9618743-1A5C-461E-91C4-E013A3D70F3C}" = Adobe® Photoshop® Album Starter Edition 3.0.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Premium 9
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EE55FD52-0D47-4c5a-96EC-48F70FF30520}" = 2570Trb
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"America Online us" = America Online (Choose which version to remove)
"CCleaner" = CCleaner
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"GalleryPlayer Images" = GalleryPlayer Images
"Google Pack Screensaver" = Google Pack Screensaver
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"iLuminaStarter" = iLumina Gold Starter Edition
"InstallShield_{9DFC9A77-86B4-4139-A4CF-A5E774422D28}" = OLYMPUS USB Reader/Writer
"InstallShield_{C1E1CA9C-A557-4DCA-90CB-203BCDDC78C3}" = Quicken 2003 Basic
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNIAWA" = MSN Dial Up Accelerator
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Pitstop Optimize2_is1" = PC Pitstop Optimize2 2.0
"Picasa2" = Picasa 2
"PictureIt_v9" = Microsoft Picture It! Photo Premium 9
"PROSet" = Intel® PRO Network Adapters and Drivers
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"RegistryFix_is1" = RegistryFix v6.2
"Shockwave" = Shockwave
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"Wheel of Fortune" = Wheel of Fortune (remove only)
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2004Setup" = Microsoft Works 2004 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/10/2010 5:22:54 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/10/2010 5:22:54 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 1/10/2010 5:22:54 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/10/2010 5:22:54 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 1/10/2010 5:22:54 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/11/2010 12:35:02 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/11/2010 12:35:02 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/11/2010 12:35:11 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/11/2010 12:35:11 PM | Computer Name = DCM2R071 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/11/2010 5:36:26 PM | Computer Name = DCM2R071 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10d.ocx, version 10.0.42.34, fault address 0x000e6f80.

[ System Events ]
Error - 1/15/2010 1:10:27 PM | Computer Name = DCM2R071 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/15/2010 1:11:02 PM | Computer Name = DCM2R071 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/15/2010 1:11:41 PM | Computer Name = DCM2R071 | Source = Service Control Manager | ID = 7000
Description = The eAcceleration Product Manager Service service failed to start
due to the following error: %%3

Error - 1/15/2010 1:11:41 PM | Computer Name = DCM2R071 | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 1/15/2010 1:11:41 PM | Computer Name = DCM2R071 | Source = Service Control Manager | ID = 7000
Description = The eAcceleration Notification Service service failed to start due
to the following error: %%3

Error - 1/20/2010 5:42:30 PM | Computer Name = DCM2R071 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/20/2010 5:42:30 PM | Computer Name = DCM2R071 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/20/2010 5:43:43 PM | Computer Name = DCM2R071 | Source = Service Control Manager | ID = 7000
Description = The eAcceleration Product Manager Service service failed to start
due to the following error: %%3

Error - 1/20/2010 5:43:43 PM | Computer Name = DCM2R071 | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 1/20/2010 5:43:43 PM | Computer Name = DCM2R071 | Source = Service Control Manager | ID = 7000
Description = The eAcceleration Notification Service service failed to start due
to the following error: %%3


< End of report >



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 AM

Posted 20 January 2010 - 05:07 PM

Please also provide a log from gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 boatman_jack

boatman_jack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 21 January 2010 - 10:00 AM

Here is the GMER.log.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-21 08:48:55
Windows 5.1.2600 Service Pack 3
Running: vrikk49i.exe; Driver: C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\kxroapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB076378A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB0763821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB0763738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB076374C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB0763835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB0763861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB07638CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB07638B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB07637CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB07638FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB076380D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB0763710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB0763724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB076379E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB0763937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB07638A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB076388D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB076384B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB0763923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB076390F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB0763776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB0763762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB0763877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB07637F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB07638E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB07637E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB07637B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP B07637B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568EE9 5 Bytes JMP B0763811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A382 7 Bytes JMP B0763891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP B076378E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP B0763766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80572E9D 5 Bytes JMP B0763825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 805732AD 7 Bytes JMP B076393B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 7 Bytes JMP B07638D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP B0763714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP B07637A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP B07637E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP B07637CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80579A43 7 Bytes JMP B076387B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP B0763750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP B07637FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP B0763728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058BA5D 5 Bytes JMP B07638FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590669 7 Bytes JMP B07638BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D50 7 Bytes JMP B0763865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952BE 7 Bytes JMP B0763839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP B076373C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP B076377A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA6E 7 Bytes JMP B07638E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E394 7 Bytes JMP B07638A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E812 7 Bytes JMP B076384F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ED05 5 Bytes JMP B0763913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F16E 5 Bytes JMP B0763927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74BE7A8]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77BA760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9873F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0F63
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0058
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D0F7E
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D0F9B
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D0033
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D0F21
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D0069
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D0EFC
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D0095
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D0EE1
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0FAC
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D0011
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D0F48
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D0022
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D0FDB
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D0084
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006A0FCD
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006A006F
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006A0FDE
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006A0014
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006A005E
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006A0043
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006A0FBC
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0069004C
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!system 77C293C7 5 Bytes JMP 00690031
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00690016
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00690FEF
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00690FC1
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00690FDE
.text C:\WINDOWS\system32\svchost.exe[556] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00670000
.text C:\WINDOWS\system32\svchost.exe[556] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[556] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00670FD4
.text C:\WINDOWS\system32\svchost.exe[556] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00670FC3
.text C:\WINDOWS\system32\svchost.exe[556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F61
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0056
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0045
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0028
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0F97
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F3A
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0082
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0EF0
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0093
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00A4
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F86
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0071
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F1F
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070065
.text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F9A
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FB5
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC6
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD7
.text C:\WINDOWS\system32\services.exe[712] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[712] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[712] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[712] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D400A4
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40093
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40FAF
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40062
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D400DC
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D400CB
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40F68
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D400F7
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D4011C
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40FC0
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D40025
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F94
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40FE5
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D40F79
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10F6F
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10036
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10F9E
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88]
.text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10025
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00F92
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00FB7
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FD2
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00027
.text C:\WINDOWS\system32\lsass.exe[724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D0000C
.text C:\WINDOWS\system32\lsass.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\lsass.exe[724] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[724] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\lsass.exe[724] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE0011
.text C:\WINDOWS\system32\lsass.exe[724] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CE002C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026D000A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026D0F68
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026D0F79
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026D0F8A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026D0047
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026D0FC0
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026D0089
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026D0078
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026D0EF0
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026D0F01
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026D00A4
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026D0FA5
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026D001B
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026D0F4D
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026D0FD1
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026D002C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026D0F1C
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 026C002F
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 026C0FA8
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 026C0FDE
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 026C0FEF
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 026C0065
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 026C000A
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 026C0FB9
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 8A]
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 026C0040
.text C:\WINDOWS\system32\svchost.exe[904] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026B0FCD
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 026B004E
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026B0022
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026B0000
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026B003D
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026B0011
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0267000A
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02670FD4
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02670FC3
.text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 026A0FEF
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0102006C
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020051
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020F83
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020F94
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020FB9
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020F3F
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020F50
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010200D8
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010200BD
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01020F24
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020036
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01020FDB
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01020087
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020FCA
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0102001B
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010200A2
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01010036
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010065
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01010025
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0101000A
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010FA8
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010FB9
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010FCA
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FC1
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF004C
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0027
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1000] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1000] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1000] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1000] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\svchost.exe[1000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D6009F
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60084
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60069
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60FB6
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D6003D
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D600BA
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F7E
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D60F21
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F32
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60EFC
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D6004E
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60011
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D60F8F
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60022
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FD1
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60F57
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D5002C
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F8A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FDB
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50011
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50047
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D50FA5
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F5, 88]
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FC0
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0FB7
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0FC8
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E001D
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E002E
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0FE3
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D001B
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D002C
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03710FE5
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03710089
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03710F94
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03710FAF
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03710062
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03710040
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03710F79
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 037100C1
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03710F1E
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03710F43
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03710F03
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03710051
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03710000
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 037100A4
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03710025
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03710FCA
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03710F5E
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03700036
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03700FA5
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0370001B
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03700000
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03700062
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03700FEF
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03700051
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03700FCA
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 036F0062
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 036F003D
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 036F0FDE
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 036F000C
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 036F0FCD
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 036F0FEF
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 036D0FE5
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 036D0FD4
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 036D0FB9
.text C:\WINDOWS\System32\svchost.exe[1132] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 036D0014
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 036E0FE5
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0F6F
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA006E
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0F94
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0047
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA009A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0F5E
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA0F1C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA00AB
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0F0B
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0036
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0089
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA0F2D
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90036
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A9008E
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90073
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A90062
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90051
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80053
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80038
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8001D
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A80FC8
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A8000C
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D001B
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0FDB
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FCA
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0075
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0064
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB0047
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB0F8A
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FA5
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB00AD
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB0086
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB0F40
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB00D9
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0F25
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB002C
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0F5B
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FC0
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB0011
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00C8
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA0F8D
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA0011
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA0F9E
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0A, 89]
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90F9C
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FAD
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E9000C
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FE3
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90027
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FD2
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FCD
.text C:\WINDOWS\system32\svchost.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0000
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01410000
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01410087
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0141006C
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0141005B
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0141004A
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01410FB9
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01410F4B
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01410F5C
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014100D3
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014100B8
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014100E4
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01410FA8
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01410011
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01410F6D
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01410FD4
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01410FE5
.text C:\WINDOWS\Explorer.EXE[1540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01410F3A
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01400FA8
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01400F57
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01400FC3
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01400FD4
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01400F72
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01400FEF
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01400014
.text C:\WINDOWS\Explorer.EXE[1540] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01400F97
.text C:\WINDOWS\Explorer.EXE[1540] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013F0031
.text C:\WINDOWS\Explorer.EXE[1540] msvcrt.dll!system 77C293C7 5 Bytes JMP 013F0F9C
.text C:\WINDOWS\Explorer.EXE[1540] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013F0FC1
.text C:\WINDOWS\Explorer.EXE[1540] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013F0FEF
.text C:\WINDOWS\Explorer.EXE[1540] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013F000C
.text C:\WINDOWS\Explorer.EXE[1540] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013F0FDE
.text C:\WINDOWS\Explorer.EXE[1540] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\Explorer.EXE[1540] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\Explorer.EXE[1540] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE000A
.text C:\WINDOWS\Explorer.EXE[1540] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0025
.text C:\WINDOWS\Explorer.EXE[1540] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\intelppm.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ks.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Modem.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\fdc.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\mouclass.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\serial.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\serenum.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\parport.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\redbook.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\imapi.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\drivers\portcls.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\audstub.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndistapi.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7B3B262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7B3B2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B3B52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7B3B500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7B3B500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7B3B2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7B3B262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B3B52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B3B52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7B3B500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7B3B2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7B3B262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\msgpc.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\termdd.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\swenum.sys[NTOSKRNL.EXE!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\update.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\mssmbios.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7B3B500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7B3B52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7B3B262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7B3B2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\usbhub.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\drivers\MODEMCSA.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\flpydisk.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\i2omgmt.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Fs_Rec.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Null.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Msfs.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Npfs.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\rasacd.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ipsec.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7B3B262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7B3B2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7B3B500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\DRIVERS\ipfltdrv.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\drivers\ws2ifsl.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B3B52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7B3B500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7B3B2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7B3B262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7B3B500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B3B52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7B3B262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7B3B2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [F7B3BA72] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Driver\00000173 -> \Driver\atapi \Device\Harddisk0\DR0 8A6B946E

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 AM

Posted 22 January 2010 - 11:10 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 boatman_jack

boatman_jack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 23 January 2010 - 12:41 PM

Thank You for confirming my suspicions. I will be doing a reformat and OS rebuild. One more question. Do the pictures or data files from the apps on this machine pose any threat?

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 AM

Posted 23 January 2010 - 02:14 PM

Hi,

no, they don't. You only need to be careful with executabl files.
You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 boatman_jack

boatman_jack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 11:19 AM

As I am getting ready to reformat and reinstall the OS I noticed that there are 2 additional partitions besides the C: drive. One is a FAT16 EISA configuration partition. These I have seen before and I believe should be left alone. There is a second partition that is FAT32, 3.9gb, and is noted as Concurrent DOS, CTO. I have not ever seen a partition such as this and do not know if it poses a threat. This is a Dell desktop Dimension 3000. Any input on this?

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 AM

Posted 27 January 2010 - 07:04 AM

Hi,

the Concurrent Dos partition is a ghost image of your operating system I believe. It is a partition that was created by DELL before you bought the PC, from which you can (or did) create your recovery CDs for the PC. I would leave it alone.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:13 AM

Posted 05 February 2010 - 03:54 PM

Since the issue seems resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users