Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool - Lsas.Blaster.keyloger


  • This topic is locked This topic is locked
10 replies to this topic

#1 mat58

mat58

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:05 PM

Posted 10 March 2010 - 08:38 PM

Friend called me tonight - her PC is infected and she's not sure what to do.
The only thing on the screen was Security Tool with a message about "apmsgfwd.exe" and stealing credit card info.
It also mentioned something about lsas.blaster.keyloger

I went into SAFE mode, loaded Malwarebytes (using different name) from my flash drive, ran it and it eradicated 3 items from "Security Tool". Just knowing that it seems too good to be true, could someone help me to verify whether the PC is clean or not ? I'm including a HiJack log.

PC is a Dell inspiron 1525 running Vista Service Pack 1. McAfee Internet Security (provided by Cox).



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:12 PM, on 3/10/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12274 bytes


BC AdBot (Login to Remove)

 


#2 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:05 PM

Posted 10 March 2010 - 11:59 PM

This was the MALWAREBYTES log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18882

3/10/2010 5:26:02 PM
mbam-log-2010-03-10 (17-26-02).txt

Scan type: Quick Scan
Objects scanned: 97225
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\70574932 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\70574932 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\70574932\70574932.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Users\Larry and Katherine\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Users\Larry and Katherine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.


#3 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:05 PM

Posted 12 March 2010 - 01:34 PM

Hi mat58,

Welcome to Bleeping Computer.

My name is mpascal, and I will be helping you fix your problem.

Please keep in mind that I am still in training and so there may be a slight delay between replies. This is so that a resident expert can check my responses to ensure we get your computer fixed as quickly and effectively as possible.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

STEP 1 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.
STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - Reply

Please reply with the following logs:
  • OTL Logs
  • GMER Log

Edited by mpascal, 12 March 2010 - 01:35 PM.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#4 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:05 PM

Posted 12 March 2010 - 08:50 PM

Can't get GMER to run to completion. Received one BSOD (F4). Disabled the DRIVERS, but it keeps rebooting. Here are the OTL logs:

OTL logfile created on: 3/12/2010 4:42:31 PM - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Users\Larry and Katherine\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.58 Gb Total Space | 162.50 Gb Free Space | 73.67% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.37 Gb Free Space | 54.96% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCHULTZ-PC
Current User Name: Larry and Katherine
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Larry and Katherine\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\McAfee.com\Agent\mcupdate.exe (McAfee, Inc.)
PRC - C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
PRC - C:\Windows\System32\atashost.exe (WebEx Communications, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
PRC - C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Windows\System32\stacsv.exe (IDT, Inc.)
PRC - C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )


========== Modules (SafeList) ==========

MOD - C:\Users\Larry and Katherine\Desktop\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (GoogleDesktopManager-110309-193829) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (nmservice) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
SRV - (atashost) -- C:\Windows\System32\atashost.exe (WebEx Communications, Inc.)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (IDT, Inc.)
SRV - (AESTFilters) -- C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\Windows\System32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\Windows\System32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\Windows\System32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (purendis) -- C:\Windows\System32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\Windows\System32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (IntcHdmiAddService) Intel® -- C:\Windows\System32\drivers\IntcHdmi.sys (Intel® Corporation)
DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (BCM43XX) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corp.)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (iaStor) -- C:\Windows\system32\drivers\iastor.sys (Intel Corporation)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (e1express) Intel® -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/cci/home
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/18 08:33:09 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\Larry and Katherine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo2.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{c9e81721-2928-11dd-abba-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{c9e81721-2928-11dd-abba-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/09/02 22:35:38 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 30 Days ==========

[2010/03/12 16:39:01 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Larry and Katherine\Desktop\OTL.exe
[2010/03/11 17:22:30 | 000,000,000 | ---D | C] -- C:\Program Files\WOT
[2010/03/11 03:01:20 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/03/11 03:01:19 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010/03/10 18:24:31 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/10 17:20:33 | 000,000,000 | ---D | C] -- C:\Users\Larry and Katherine\AppData\Roaming\Malwarebytes
[2010/03/10 17:20:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/10 17:20:28 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/10 17:20:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/10 17:20:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/02/28 11:34:49 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/02/28 11:31:06 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/02/24 07:10:52 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/02/24 07:10:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/24 07:09:08 | 000,523,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/02/24 07:09:08 | 000,511,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/02/24 07:09:08 | 000,472,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/02/24 07:09:08 | 000,472,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/02/24 07:09:08 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/02/24 07:09:08 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/02/24 07:09:07 | 000,329,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll
[2010/02/24 07:09:07 | 000,151,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/02/24 07:09:07 | 000,151,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll

========== Files - Modified Within 30 Days ==========

[2010/03/12 16:52:59 | 001,835,008 | -HS- | M] () -- C:\Users\Larry and Katherine\ntuser.dat
[2010/03/12 16:48:03 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/12 16:47:10 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/12 16:47:10 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/12 16:41:33 | 000,293,376 | ---- | M] () -- C:\Users\Larry and Katherine\Desktop\6p9evy7j.exe
[2010/03/12 16:39:10 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Larry and Katherine\Desktop\OTL.exe
[2010/03/12 16:36:58 | 000,017,940 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/03/12 16:36:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/11 18:11:36 | 000,000,446 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{8942447D-D368-44C5-B48B-B09D11CEB42C}.job
[2010/03/11 17:26:56 | 000,000,036 | ---- | M] () -- C:\Users\Larry and Katherine\AppData\Local\housecall.guid.cache
[2010/03/11 03:48:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/11 03:31:11 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/11 03:31:11 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/11 03:31:11 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/11 03:23:13 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/11 03:22:53 | 2137,042,944 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/11 03:21:45 | 000,524,288 | -HS- | M] () -- C:\Users\Larry and Katherine\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/03/11 03:21:45 | 000,065,536 | -HS- | M] () -- C:\Users\Larry and Katherine\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/03/11 03:21:42 | 001,891,022 | -H-- | M] () -- C:\Users\Larry and Katherine\AppData\Local\IconCache.db
[2010/03/10 18:24:31 | 000,001,876 | ---- | M] () -- C:\Users\Larry and Katherine\Desktop\HijackThis.lnk
[2010/03/09 17:17:11 | 000,009,728 | ---- | M] () -- C:\Users\Larry and Katherine\Documents\for baby.wps
[2010/03/09 17:17:11 | 000,003,996 | ---- | M] () -- C:\Users\Larry and Katherine\AppData\Roaming\wklnhst.dat
[2010/03/09 17:05:55 | 000,009,216 | ---- | M] () -- C:\Users\Larry and Katherine\Documents\aspenglo.wps
[2010/03/09 16:57:27 | 000,009,216 | ---- | M] () -- C:\Users\Larry and Katherine\Documents\sunshine on my shoulders.wps
[2010/03/09 16:51:41 | 000,009,216 | ---- | M] () -- C:\Users\Larry and Katherine\Documents\calypso.wps
[2010/03/04 07:36:19 | 000,001,083 | ---- | M] () -- C:\Users\Larry and Katherine\Desktop\CaddieSync.lnk
[2010/02/28 19:15:27 | 000,009,728 | ---- | M] () -- C:\Users\Larry and Katherine\Documents\weather.wps
[2010/02/28 11:35:37 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/02/28 11:31:40 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/02/28 09:44:15 | 000,005,972 | ---- | M] () -- C:\Users\Larry and Katherine\AppData\Local\d3d9caps.dat
[2010/02/25 03:21:13 | 000,071,192 | ---- | M] () -- C:\Users\Larry and Katherine\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/25 03:20:28 | 000,302,872 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/20 16:39:35 | 000,024,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/02/20 16:37:20 | 000,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010/02/19 14:18:02 | 000,010,240 | ---- | M] () -- C:\Users\Larry and Katherine\Documents\blue bayou.wps
[2010/02/19 14:09:29 | 000,010,752 | ---- | M] () -- C:\Users\Larry and Katherine\Documents\life is too short.wps

========== Files Created - No Company Name ==========

[2010/03/12 16:41:29 | 000,293,376 | ---- | C] () -- C:\Users\Larry and Katherine\Desktop\6p9evy7j.exe
[2010/03/11 17:26:56 | 000,000,036 | ---- | C] () -- C:\Users\Larry and Katherine\AppData\Local\housecall.guid.cache
[2010/03/10 18:24:31 | 000,001,876 | ---- | C] () -- C:\Users\Larry and Katherine\Desktop\HijackThis.lnk
[2010/03/10 17:26:54 | 2137,042,944 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/09 17:17:11 | 000,009,728 | ---- | C] () -- C:\Users\Larry and Katherine\Documents\for baby.wps
[2010/03/09 17:05:55 | 000,009,216 | ---- | C] () -- C:\Users\Larry and Katherine\Documents\aspenglo.wps
[2010/03/09 16:57:27 | 000,009,216 | ---- | C] () -- C:\Users\Larry and Katherine\Documents\sunshine on my shoulders.wps
[2010/03/09 16:51:40 | 000,009,216 | ---- | C] () -- C:\Users\Larry and Katherine\Documents\calypso.wps
[2010/03/04 07:36:19 | 000,001,083 | ---- | C] () -- C:\Users\Larry and Katherine\Desktop\CaddieSync.lnk
[2010/02/28 19:15:27 | 000,009,728 | ---- | C] () -- C:\Users\Larry and Katherine\Documents\weather.wps
[2010/02/28 11:35:37 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/02/28 11:31:40 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/02/18 20:26:41 | 000,010,240 | ---- | C] () -- C:\Users\Larry and Katherine\Documents\blue bayou.wps
[2010/02/18 19:37:31 | 000,010,752 | ---- | C] () -- C:\Users\Larry and Katherine\Documents\life is too short.wps
[2010/01/04 12:17:50 | 008,892,928 | ---- | C] () -- C:\ProgramData\atscie.msi
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/10/04 09:14:13 | 000,003,996 | ---- | C] () -- C:\Users\Larry and Katherine\AppData\Roaming\wklnhst.dat
[2008/06/28 18:10:52 | 000,005,972 | ---- | C] () -- C:\Users\Larry and Katherine\AppData\Local\d3d9caps.dat
[2008/06/10 15:31:19 | 000,019,456 | ---- | C] () -- C:\Users\Larry and Katherine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/24 01:30:26 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2008/05/24 01:30:25 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/05/24 01:30:25 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/05/24 01:30:25 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/05/24 01:30:25 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008/05/24 01:30:22 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/05/23 17:53:38 | 000,054,784 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/19 00:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 00:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 00:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2008/05/24 01:06:34 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\drivers\AGP440.sys
[2008/05/24 01:06:34 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_8ed06b47\AGP440.sys
[2008/05/24 01:06:34 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16400_none_b82caac9c18a4e3b\AGP440.sys
[2008/05/24 01:06:34 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=BF34B4A0E0B64440C5389AA6B902F4AD -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20496_none_b85af81edaeb8461\AGP440.sys
[2006/11/02 02:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/10 23:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 00:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/19 00:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 00:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2008/05/24 01:07:27 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=3E39E69F31F95D056703212E94320899 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_e6b2949c\atapi.sys
[2008/05/24 01:07:27 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=3E39E69F31F95D056703212E94320899 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20544_none_dbb443eb3d9db847\atapi.sys
[2006/11/02 02:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/05/24 01:07:13 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=5653737BAD8C6C10136451C195C19881 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys
[2008/05/24 01:29:46 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5da5d093\atapi.sys
[2008/05/24 01:29:46 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20580_none_db8503133dc1c2af\atapi.sys
[2008/05/24 01:29:46 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_6c3af7d3\atapi.sys
[2008/05/24 01:29:46 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16470_none_db063634249c06f4\atapi.sys
[2008/05/24 01:06:31 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys
[2008/05/24 01:06:31 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys
[2008/05/24 01:07:13 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[2008/05/24 01:07:13 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys
[2008/05/24 01:22:24 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/05/24 01:22:24 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/05/24 01:22:23 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys
[2008/05/24 01:22:23 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 02:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 02:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >
[2007/09/06 09:43:26 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Drivers\storage\R166200\iastor.sys
[2007/03/21 10:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/09/06 09:43:26 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\drivers\iaStor.sys
[2007/09/06 09:43:26 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys
[2007/09/06 09:43:26 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys
[2007/03/21 10:59:30 | 000,381,720 | ---- | M] (Intel Corporation) MD5=9D7ED4275702E2FC409F2CC563245740 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/19 00:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 00:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 02:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 02:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 02:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/10 23:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/19 00:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/19 00:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 02:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 02:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 00:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 00:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/19 00:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/19 00:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 02:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/10 23:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2007/12/11 23:01:24 | 000,054,784 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\bcmwlrmt.dll
[2009/03/08 04:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/03/08 04:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2008/01/19 00:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/19 00:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 03:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 03:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 03:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 03:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 03:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV
< End of report >



EXTRAS FILE

OTL Extras logfile created on: 3/12/2010 4:42:31 PM - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Users\Larry and Katherine\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.58 Gb Total Space | 162.50 Gb Free Space | 73.67% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.37 Gb Free Space | 54.96% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCHULTZ-PC
Current User Name: Larry and Katherine
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{05BF3F48-F348-445E-8C32-74147C392FE5}" = lport=139 | protocol=6 | dir=in | app=system |
"{0EE73F88-9320-4F92-87A9-17F913ECCEDA}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=file and printer sharing (spooler service - rpc-epmap) |
"{1CBA01D8-E8E2-4AAD-BB1D-C7802005CF3F}" = rport=138 | protocol=17 | dir=out | app=system |
"{39D607A9-593B-4A8A-874D-D3EF1E10056E}" = rport=139 | protocol=6 | dir=out | app=system |
"{8AA11B0F-7CCB-4222-BADC-1790CFF19E9F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe |
"{A7A49775-E175-4498-9219-3F7D4BBB10A2}" = rport=445 | protocol=6 | dir=out | app=system |
"{BB44C3FD-6420-4B84-BFF2-2C8E797189E7}" = lport=445 | protocol=6 | dir=in | app=system |
"{E788BA93-8050-4B52-8432-E944188EB008}" = rport=137 | protocol=17 | dir=out | app=system |
"{F7674157-2555-4826-A7CF-E708CA641AF1}" = lport=138 | protocol=17 | dir=in | app=system |
"{FFABA9E5-DE4A-43F6-B27A-8EA086E711F2}" = lport=137 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{14439181-F983-4DD2-95B2-4443439B36D0}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{18DDBF77-BCE0-4E12-AEEE-AFD8D9001597}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{2C662823-F06F-4DD2-BB6D-99EFD9BACBBC}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2FD98ED9-7D7B-4CEE-A705-A41469E40C3A}" = protocol=6 | dir=in | app=c:\program files\skygolf\skycaddie desktop\skycaddiedesktop.exe |
"{36206CFD-CBA3-42C7-9550-C46F8402C10A}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{523F7793-74F9-4560-A3B2-427CB48B4B34}" = protocol=17 | dir=in | app=c:\program files\skygolf\skycaddie desktop\skycaddiedesktop.exe |
"{59698B9A-5FFB-4302-9527-0B0C389983B0}" = protocol=6 | dir=in | app=c:\program files\skygolf\skycaddie desktop\skycaddiedesktop.exe |
"{6F1AFC0D-CA40-4A15-8A6D-2C533DD7C8E6}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"{7407B03A-CDDF-49A9-9EA9-A17BAC0CB224}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"{8EC16500-E1E6-4DD4-8F43-B064D34B4C71}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{96E544BA-866C-4917-8B12-6E91B305FB28}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{96FCBE81-633D-4559-BC66-7110AD2F64C3}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{ABF018AB-B051-4285-886A-2042731782DD}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dms\clmsservice.exe |
"{B72C1B7B-5994-49C8-B8F6-2072C1D9FF63}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C2764F47-5C97-42E3-B5D2-31B73B9EB55A}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{C640AD23-72F0-4454-8961-FAAAEBF0BBAD}" = dir=in | app=c:\program files\dell\mediadirect\mediadirect.exe |
"{C737E9C5-78CF-4C3F-A322-1AAF3E086C46}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dmp\clbrowserengine.exe |
"{C7CF5F1B-CEF6-4FF4-92A2-55CE7CD91CAB}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{D6425385-B2F1-41FF-8BDC-A3BD4C51A0A6}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{F2941A4C-88D2-467C-B9FE-A52A106BB618}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{F7E93032-D002-4935-BFD5-AB4EF6121AF2}" = protocol=17 | dir=in | app=c:\program files\skygolf\skycaddie desktop\skycaddiedesktop.exe |
"TCP Query User{34857A3B-A516-4B4E-BA05-5BD799E0B0E5}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{9776B45B-0236-4B7E-A851-521F9DC9E1B9}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2357B8BC-88C9-4A72-818C-050CC4EB0778}" = AOL Install
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}" = Banctec Service Agreement
"{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}" = Dell DataSafe Online
"{4E5386F5-C0F6-4532-A54A-374865AEAB71}" = Cisco PEAP Module
"{5BA1D11C-B981-4CAA-B2B5-B8ADF413EBA5}" = Pure Networks Platform
"{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}" = EarthLink Setup Files
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{6BBBF237-A114-48E6-BBD0-A52BEF9CCFB2}" = Cisco Network Magic
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{76F9CF97-FC4B-4E20-B363-D127C888448F}" = Cisco LEAP Module
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{BF53252E-4AB2-4C7F-A0FD-6100755745E3}" = Cisco EAP-FAST Module
"{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet
"{CCFF1E13-77A2-4032-8B12-7566982A27DF}" = Internet Service Offers Launcher
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{D7769185-9A7C-48D4-8874-5388743A1DE2}" = Music, Photos & Videos Launcher
"{DB0BB9FA-1B60-4036-8E29-3D56D8085256}" = WOT for Internet Explorer
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Google Desktop" = Google Desktop
"GoToAssist" = GoToAssist 8.0.0.514
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSC" = McAfee SecurityCenter
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"Network MagicUninstall" = Network Magic
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SkyCaddieDesktop" = SkyCaddie Desktop
"UnityWebPlayer" = Unity Web Player
"Yahoo! Companion" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/23/2010 1:21:11 PM | Computer Name = Schultz-PC | Source = Application Error | ID = 1000
Description = Faulting application bcmwltry.exe, version 4.170.25.12, time stamp
0x46f3437a, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x01ac9362, process id 0x6d4, application start time
0x01ca9c50670dc37d.

Error - 1/23/2010 3:39:19 PM | Computer Name = Schultz-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18882, time stamp
0x4b3ed243, faulting module IEShims.dll, version 8.0.6001.18882, time stamp 0x4b3ee8a8,
exception code 0xc0000005, fault offset 0x00021e16, process id 0x1090, application
start time 0x01ca9c63c0d36800.

Error - 1/25/2010 11:24:40 AM | Computer Name = Schultz-PC | Source = EventSystem | ID = 4622
Description =

Error - 1/29/2010 4:05:45 PM | Computer Name = Schultz-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18882, time stamp
0x4b3ed243, faulting module Flash10c.ocx, version 10.0.32.18, time stamp 0x4a613d79,
exception code 0xc0000005, fault offset 0x00180f89, process id 0xd74, application
start time 0x01caa04eced0cc60.

Error - 2/1/2010 1:46:40 AM | Computer Name = Schultz-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/18/2010 1:26:31 AM | Computer Name = Schultz-PC | Source = EventSystem | ID = 4622
Description =

Error - 2/18/2010 11:05:49 PM | Computer Name = Schultz-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/20/2010 6:59:28 PM | Computer Name = Schultz-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.6001.18882 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 11c8 Start Time: 01cab110c8e87f27 Termination Time: 169

Error - 2/22/2010 12:50:45 AM | Computer Name = Schultz-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/24/2010 12:52:09 AM | Computer Name = Schultz-PC | Source = EventSystem | ID = 4621
Description =

[ Broadcom Wireless LAN Events ]
Error - 10/24/2009 11:27:08 AM | Computer Name = Schultz-PC | Source = WLAN-Tray | ID = 0
Description = 08:27:08, Sat, Oct 24, 09 Error - Unable to gain access to user store


Error - 1/5/2010 6:09:26 PM | Computer Name = Schultz-PC | Source = WLAN-Tray | ID = 0
Description = 15:09:26, Tue, Jan 05, 10 Error - Unable to gain access to user store


[ Media Center Events ]
Error - 10/28/2009 3:35:54 PM | Computer Name = Schultz-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 9/8/2008 11:54:31 PM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/8/2008 11:54:32 PM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/8/2008 11:54:32 PM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/8/2008 11:54:34 PM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/8/2008 11:54:35 PM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/8/2008 11:54:36 PM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/8/2008 11:54:37 PM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/8/2008 11:56:31 PM | Computer Name = Schultz-PC | Source = BROWSER | ID = 8032
Description =

Error - 9/9/2008 9:39:53 AM | Computer Name = Schultz-PC | Source = HTTP | ID = 15016
Description =

Error - 9/9/2008 9:40:19 AM | Computer Name = Schultz-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >

Edited by mat58, 12 March 2010 - 08:53 PM.


#5 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:05 PM

Posted 12 March 2010 - 09:20 PM

GMER will not run to completion. I have tried running as Administrator, Safe mode, unchecked devices.
I have disabled McAfee through it's menu interface. No internet connection

I even re-downloaded the file. Going to keep trying.

UPDATE: Last BSOD showed the following:

0x00000050
error in kgddrfog.sys

Edited by mat58, 12 March 2010 - 09:45 PM.


#6 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:05 PM

Posted 12 March 2010 - 10:32 PM

Finally got GMER to run. Had to uncheck devices. Saved log, just at the PC had another BSOD with F4 (no file designated)
NOTE: This PC had not had any BSOD occurrances to my knowledge prior to running the GMER scans.
Hope the log is complete:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-12 20:23:17
Windows 6.0.6001 Service Pack 1
Running: h5mtomi0.exe; Driver: C:\Users\LARRYA~1\AppData\Local\Temp\kgddrfog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D11B79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8D11B738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8D11B74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D11B7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D11B710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D11B724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D11B7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8D11B78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D11B776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D11B80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D11B7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D11B7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D11B762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81C781C0 5 Bytes JMP 8D11B7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81E19DD5 5 Bytes JMP 8D11B766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 81E33F8A 5 Bytes JMP 8D11B80F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 81E531D8 5 Bytes JMP 8D11B728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 81E62B14 5 Bytes JMP 8D11B714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 81E7574E 7 Bytes JMP 8D11B7E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 81E75DA5 5 Bytes JMP 8D11B7F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 81E77FB6 5 Bytes JMP 8D11B7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 81E85674 5 Bytes JMP 8D11B77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 81E878CE 7 Bytes JMP 8D11B7B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 81EE51AF 5 Bytes JMP 8D11B73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81EE51FA 7 Bytes JMP 8D11B750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 81EE5CB7 5 Bytes JMP 8D11B78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[676] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00D90F48
.text C:\Windows\system32\services.exe[676] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00D9008E
.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 00D90F01
.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00D90F12
.text C:\Windows\system32\services.exe[676] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00D90F7E
.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00D90FCA
.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00D90062
.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00D90FAF
.text C:\Windows\system32\services.exe[676] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 00D90F6D
.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00D90051
.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00D90036
.text C:\Windows\system32\services.exe[676] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 00D9007D
.text C:\Windows\system32\services.exe[676] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00D90EE6
.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00D90FE5
.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00D90000
.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00D90011
.text C:\Windows\system32\services.exe[676] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 00D90F23
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 008F0F9E
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 008F0FCA
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 008F0FEF
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 008F0FB9
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 008F0065
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 008F001B
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 008F0000
.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 008F0036
.text C:\Windows\system32\services.exe[676] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 008A0FA8
.text C:\Windows\system32\services.exe[676] msvcrt.dll!system 767C8B63 5 Bytes JMP 008A003D
.text C:\Windows\system32\services.exe[676] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 008A0011
.text C:\Windows\system32\services.exe[676] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\services.exe[676] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 008A0022
.text C:\Windows\system32\services.exe[676] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 008A0000
.text C:\Windows\system32\services.exe[676] WS2_32.dll!socket 764B36D1 5 Bytes JMP 006F0000
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 002D0F41
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 002D0F52
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 002D0F26
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 002D00BD
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 002D0062
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 002D0FC3
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 002D0F94
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 002D0040
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 002D0F63
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 002D0051
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 002D002F
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 002D0073
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 002D0F15
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 002D0FD4
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 002D0FEF
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 002D0014
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 002D0098
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00090FA5
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00090047
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00090000
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00090FC0
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00090F94
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00090022
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00090011
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00090FD1
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wsystem 767C8A47 3 Bytes JMP 00080055
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wsystem + 4 767C8A4B 1 Byte [89]
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!system 767C8B63 3 Bytes JMP 0008003A
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!system + 4 767C8B67 1 Byte [89]
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_creat 767CC6F1 3 Bytes JMP 00080FEF
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_creat + 4 767CC6F5 1 Byte [89]
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00080000
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wcreat 767CDC9E 3 Bytes JMP 00080FCA
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wcreat + 4 767CDCA2 1 Byte [89]
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00080029
.text C:\Windows\system32\lsass.exe[708] WS2_32.dll!socket 764B36D1 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00740F36
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 0074007C
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 00740F00
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 007400A1
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00740F73
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00740FB2
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 0074004D
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00740F90
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 00740F62
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 0074003C
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00740FA1
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 00740F51
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00740EEF
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00740FDE
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00740FEF
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00740FCD
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 00740F25
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00720F9C
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!system 767C8B63 5 Bytes JMP 00720FB7
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 00720FD2
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00720FEF
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00720027
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00720000
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 0073004A
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 0073002F
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00730FEF
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00730FA8
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00730065
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00730FD4
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00730014
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00730FC3
.text C:\Windows\system32\svchost.exe[908] WS2_32.dll!socket 764B36D1 5 Bytes JMP 006D0000
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00850F4D
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00850F68
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 008500BF
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00850F32
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 0085006E
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00850025
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00850F94
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00850040
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 00850F79
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00850051
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00850FB9
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 00850089
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 008500D0
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00850FD4
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00850FEF
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 77F9430E 3 Bytes JMP 00850014
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA + 4 77F94312 1 Byte [88]
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!WinExec 77F954FF 3 Bytes JMP 008500AE
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!WinExec + 4 77F95503 1 Byte [88]
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00830F9C
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!system 767C8B63 5 Bytes JMP 00830FB7
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 00830FC8
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00830000
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 0083001D
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00830FE3
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00840058
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00840FB6
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00840000
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00840047
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00840F9B
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00840022
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00840011
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00840FD1
.text C:\Windows\system32\svchost.exe[976] WS2_32.dll!socket 764B36D1 5 Bytes JMP 00790FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 008D0F50
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 008D0F6B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 008D0F1D
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 008D0F2E
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 008D0060
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 008D0FC3
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 008D0F86
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 008D0FA1
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 008D007B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 008D0043
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 008D0FB2
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 008D008C
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 008D0F0C
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 008D000A
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 008D0FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 008D0FD4
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 008D0F3F
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00870FC8
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 767C8B63 5 Bytes JMP 00870053
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 0087001D
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00870FEF
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00870038
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00870000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00880F8A
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00880FC0
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00880000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00880FAF
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00880F79
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00880022
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00880011
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00880FD1
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 764B36D1 5 Bytes JMP 00850FE5
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 01700F2B
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 0170007B
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 017000B8
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 017000A7
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 01700F61
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 01700FB2
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 0170003B
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 01700F72
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 01700F50
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 01700014
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 01700F8D
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 0170006A
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 017000D3
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 01700FD4
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 01700FEF
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 01700FC3
.text C:\Windows\System32\svchost.exe[1156] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 01700096
.text C:\Windows\System32\svchost.exe[1156] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 016A0FB2
.text C:\Windows\System32\svchost.exe[1156] msvcrt.dll!system 767C8B63 5 Bytes JMP 016A0FCD
.text C:\Windows\System32\svchost.exe[1156] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 016A0022
.text C:\Windows\System32\svchost.exe[1156] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 016A0FEF
.text C:\Windows\System32\svchost.exe[1156] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 016A003D
.text C:\Windows\System32\svchost.exe[1156] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 016A0FDE
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 016F0FA8
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 016F0FD4
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 016F0FE5
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 016F0FB9
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 016F0F8D
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 016F001B
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 016F0000
.text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 016F0040
.text C:\Windows\System32\svchost.exe[1156] WS2_32.dll!socket 764B36D1 5 Bytes JMP 01650FE5
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 01440F3E
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 01440084
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 014400C4
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 014400A9
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 01440F74
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 01440022
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 01440F85
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 01440044
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 01440F63
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 01440FA2
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 01440033
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 01440073
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 014400D5
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 01440FE5
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 01440000
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 01440011
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 01440F23
.text C:\Windows\system32\svchost.exe[1176] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 01220FC8
.text C:\Windows\system32\svchost.exe[1176] msvcrt.dll!system 767C8B63 5 Bytes JMP 01220053
.text C:\Windows\system32\svchost.exe[1176] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 01220FE3
.text C:\Windows\system32\svchost.exe[1176] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 01220000
.text C:\Windows\system32\svchost.exe[1176] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 0122002E
.text C:\Windows\system32\svchost.exe[1176] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 0122001D
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 013F0FAF
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 013F0036
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 013F0FE5
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 013F0047
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 013F006C
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 013F001B
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 013F0000
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 013F0FC0
.text C:\Windows\system32\svchost.exe[1176] WS2_32.dll!socket 764B36D1 5 Bytes JMP 01210FE5
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00160F26
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00160F41
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 00160EFA
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00160F0B
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00160062
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 0016001B
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00160F94
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00160FA5
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 00160F6D
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00160051
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00160036
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 00160F5C
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00160EE9
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00160FE5
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00160FD4
.text C:\Windows\system32\svchost.exe[1320] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 00160091
.text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 0010003F
.text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!system 767C8B63 5 Bytes JMP 00100FBE
.text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 0010002E
.text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00100000
.text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00100FD9
.text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 0010001D
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00150FA1
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 0015002F
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00150FE5
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00150FB2
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00150F86
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00150FC3
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00150FD4
.text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 0015001E
.text C:\Windows\system32\svchost.exe[1320] WS2_32.dll!socket 764B36D1 5 Bytes JMP 000F0FE5
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 03AE0F77
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 03AE00B3
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 03AE0F4B
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 03AE00E2
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 03AE006C
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 03AE002C
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 03AE005B
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 03AE0FB9
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 03AE0091
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 03AE0FA8
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 03AE0FCA
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 03AE00A2
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 03AE0F3A
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 03AE001B
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 03AE000A
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 03AE0FDB
.text C:\Windows\Explorer.EXE[1380] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 03AE0F66
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 03A10F94
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 03A1002C
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 03A10000
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 03A10FA5
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 03A10051
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 03A10011
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 03A10FE5
.text C:\Windows\Explorer.EXE[1380] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 03A10FC0
.text C:\Windows\Explorer.EXE[1380] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 03A0004E
.text C:\Windows\Explorer.EXE[1380] msvcrt.dll!system 767C8B63 5 Bytes JMP 03A0003D
.text C:\Windows\Explorer.EXE[1380] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 03A00011
.text C:\Windows\Explorer.EXE[1380] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 03A00FE3
.text C:\Windows\Explorer.EXE[1380] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 03A0002C
.text C:\Windows\Explorer.EXE[1380] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 03A00000
.text C:\Windows\Explorer.EXE[1380] WS2_32.dll!socket 764B36D1 5 Bytes JMP 039F0FEF
.text C:\Windows\Explorer.EXE[1380] WININET.dll!InternetOpenA 77B8D690 5 Bytes JMP 03A20FEF
.text C:\Windows\Explorer.EXE[1380] WININET.dll!InternetOpenW 77B8DB09 5 Bytes JMP 03A2000A
.text C:\Windows\Explorer.EXE[1380] WININET.dll!InternetOpenUrlA 77B8F3A4 5 Bytes JMP 03A2001B
.text C:\Windows\Explorer.EXE[1380] WININET.dll!InternetOpenUrlW 77BD6DDF 5 Bytes JMP 03A2002C
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 01070EF3
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 01070F04
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 0107006F
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 01070ED8
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 0107002F
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 01070F9E
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 01070F61
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 01070014
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 01070F3A
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 01070F72
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 01070F83
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 01070F29
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 0107008A
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 01070FCA
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 01070FEF
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 01070FB9
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 01070054
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00B10FC8
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!system 767C8B63 5 Bytes JMP 00B10053
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 00B10038
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00B10000
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00B10FE3
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00B1001D
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00BE006C
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00BE0040
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00BE0000
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00BE0051
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00BE0FAF
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00BE0025
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00BE0FEF
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00BE0FD4
.text C:\Windows\system32\svchost.exe[1408] WS2_32.dll!socket 764B36D1 5 Bytes JMP 0082000A
.text C:\Windows\system32\svchost.exe[1408] WinInet.dll!InternetOpenA 77B8D690 5 Bytes JMP 00CB0FEF
.text C:\Windows\system32\svchost.exe[1408] WinInet.dll!InternetOpenW 77B8DB09 5 Bytes JMP 00CB0FDE
.text C:\Windows\system32\svchost.exe[1408] WinInet.dll!InternetOpenUrlA 77B8F3A4 5 Bytes JMP 00CB0FC3
.text C:\Windows\system32\svchost.exe[1408] WinInet.dll!InternetOpenUrlW 77BD6DDF 5 Bytes JMP 00CB0014
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00C90F9E
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00C900E4
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 00C9012E
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00C90F8D
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00C900BF
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00C90051
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00C900A2
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00C90FE5
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 00C90FD4
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00C90091
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00C90062
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 00C90FB9
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00C90F7C
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00C9001B
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00C9000A
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00C90036
.text C:\Windows\system32\svchost.exe[1592] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 00C90109
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 008E0050
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!system 767C8B63 5 Bytes JMP 008E003F
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 008E001D
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 008E0000
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 008E002E
.text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 008E0FEF
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00C80F97
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00C80025
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00C80000
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00C80FA8
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00C80F86
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00C80FCA
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00C80FEF
.text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00C80FB9
.text C:\Windows\system32\svchost.exe[1592] WS2_32.dll!socket 764B36D1 5 Bytes JMP 008D000A
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00A30F04
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00A3004A
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 00A30087
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00A30076
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00A30F41
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00A30FAF
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00A30F5E
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00A3001B
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 00A30F26
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00A30F6F
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00A30F9E
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 00A30F15
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00A300A2
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00A30FEF
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00A3000A
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00A30FCA
.text C:\Windows\system32\svchost.exe[1952] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 00A30065
.text C:\Windows\system32\svchost.exe[1952] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00990F97
.text C:\Windows\system32\svchost.exe[1952] msvcrt.dll!system 767C8B63 5 Bytes JMP 00990022
.text C:\Windows\system32\svchost.exe[1952] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 00990011
.text C:\Windows\system32\svchost.exe[1952] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00990FEF
.text C:\Windows\system32\svchost.exe[1952] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00990FB2
.text C:\Windows\system32\svchost.exe[1952] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00990000
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00A2006C
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00A20FC0
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00A2000A
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00A20051
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00A20FAF
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00A20025
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00A20FEF
.text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00A20036
.text C:\Windows\system32\svchost.exe[1952] WS2_32.dll!socket 764B36D1 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00220F77
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00220F88
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 002200FA
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 002200E9
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00220087
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00220025
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00220076
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00220FB9
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 00220098
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00220065
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00220040
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 002200B3
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00220115
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00220FEF
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00220FD4
.text C:\Windows\system32\svchost.exe[2492] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 002200CE
.text C:\Windows\system32\svchost.exe[2492] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00200022
.text C:\Windows\system32\svchost.exe[2492] msvcrt.dll!system 767C8B63 5 Bytes JMP 00200F97
.text C:\Windows\system32\svchost.exe[2492] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 00200FCD
.text C:\Windows\system32\svchost.exe[2492] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00200FEF
.text C:\Windows\system32\svchost.exe[2492] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00200FB2
.text C:\Windows\system32\svchost.exe[2492] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00200FDE
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 0021004A
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00210039
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00210FA8
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00210F8D
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 0021001E
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00210FDE
.text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00210FCD
.text C:\Windows\system32\svchost.exe[2492] WS2_32.dll!socket 764B36D1 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 007900D3
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00790F83
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 00790113
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00790F72
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00790078
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00790FD4
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00790F9E
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00790040
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 0079009D
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 0079005B
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00790FB9
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 007900AE
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00790F61
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 0079000A
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00790FEF
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00790025
.text C:\Windows\system32\svchost.exe[3316] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 007900EE
.text C:\Windows\system32\svchost.exe[3316] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00770055
.text C:\Windows\system32\svchost.exe[3316] msvcrt.dll!system 767C8B63 5 Bytes JMP 00770FCA
.text C:\Windows\system32\svchost.exe[3316] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 0077003A
.text C:\Windows\system32\svchost.exe[3316] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00770000
.text C:\Windows\system32\svchost.exe[3316] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00770FE5
.text C:\Windows\system32\svchost.exe[3316] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 00770029
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00780F8D
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00780FA8
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00780FEF
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 0078002F
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00780054
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00780FD4
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00780000
.text C:\Windows\system32\svchost.exe[3316] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00780FB9
.text C:\Windows\system32\svchost.exe[3316] WS2_32.dll!socket 764B36D1 5 Bytes JMP 0063000A
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00070F61
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00070F72
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 000700C2
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00070F2B
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00070FA8
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00070036
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00070076
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00070FB9
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 0007009D
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00070065
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00070FCA
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 00070F83
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00070F10
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 00070000
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[3364] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 00070F46
.text C:\Windows\System32\svchost.exe[3364] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00050FDB
.text C:\Windows\System32\svchost.exe[3364] msvcrt.dll!system 767C8B63 5 Bytes JMP 00050066
.text C:\Windows\System32\svchost.exe[3364] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 00050044
.text C:\Windows\System32\svchost.exe[3364] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[3364] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 00050055
.text C:\Windows\System32\svchost.exe[3364] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 0005001D
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00060051
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 00060025
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00060036
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 0006006C
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00060FB9
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00060FD4
.text C:\Windows\System32\svchost.exe[3364] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 0006000A
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!GetStartupInfoW 77F01929 5 Bytes JMP 00010F81
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!GetStartupInfoA 77F019C9 5 Bytes JMP 00010F92
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!CreateProcessW 77F01C01 5 Bytes JMP 00010F55
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!CreateProcessA 77F01C36 5 Bytes JMP 00010F66
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!VirtualProtect 77F01DD1 5 Bytes JMP 00010091
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!CreateNamedPipeW 77F05C44 5 Bytes JMP 00010036
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!LoadLibraryExW 77F230C3 5 Bytes JMP 00010076
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!LoadLibraryW 77F2361F 5 Bytes JMP 00010FC3
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!VirtualProtectEx 77F28D7E 5 Bytes JMP 000100AC
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!LoadLibraryExA 77F29469 5 Bytes JMP 00010065
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!LoadLibraryA 77F29491 5 Bytes JMP 00010FD4
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!CreatePipe 77F30284 5 Bytes JMP 000100BD
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!GetProcAddress 77F4B8B6 5 Bytes JMP 00010F44
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!CreateFileW 77F4CC4E 5 Bytes JMP 0001000A
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!CreateFileA 77F4CF71 5 Bytes JMP 00010FEF
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!CreateNamedPipeA 77F9430E 5 Bytes JMP 00010025
.text C:\Windows\system32\wuauclt.exe[5768] kernel32.dll!WinExec 77F954FF 5 Bytes JMP 000100E2
.text C:\Windows\system32\wuauclt.exe[5768] msvcrt.dll!_wsystem 767C8A47 5 Bytes JMP 00060053
.text C:\Windows\system32\wuauclt.exe[5768] msvcrt.dll!system 767C8B63 5 Bytes JMP 00060038
.text C:\Windows\system32\wuauclt.exe[5768] msvcrt.dll!_creat 767CC6F1 5 Bytes JMP 00060FD2
.text C:\Windows\system32\wuauclt.exe[5768] msvcrt.dll!_open 767CDA7E 5 Bytes JMP 00060FEF
.text C:\Windows\system32\wuauclt.exe[5768] msvcrt.dll!_wcreat 767CDC9E 5 Bytes JMP 0006001D
.text C:\Windows\system32\wuauclt.exe[5768] msvcrt.dll!_wopen 767CDE79 5 Bytes JMP 0006000C
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegCreateKeyExA 778BB5E7 5 Bytes JMP 00070062
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegCreateKeyA 778BB8AE 5 Bytes JMP 0007003D
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegOpenKeyA 778C0BF5 5 Bytes JMP 00070000
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegCreateKeyW 778CB83D 5 Bytes JMP 00070FB6
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegCreateKeyExW 778CBCE1 5 Bytes JMP 00070FA5
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegOpenKeyExA 778CD4E8 5 Bytes JMP 00070011
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegOpenKeyW 778D3CB0 5 Bytes JMP 00070FDB
.text C:\Windows\system32\wuauclt.exe[5768] ADVAPI32.dll!RegOpenKeyExW 778DF09D 5 Bytes JMP 00070022

---- EOF - GMER 1.0.15 ----


#7 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:05 PM

Posted 13 March 2010 - 02:42 PM

Hi mat58,

STEP 1 - OTL Fix

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    CODE
    :OTL
    O33 - MountPoints2\{c9e81721-2928-11dd-abba-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{c9e81721-2928-11dd-abba-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup\setup.exe -- File not founds

    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
STEP 2 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.



  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • Kaspersky Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#8 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:05 PM

Posted 13 March 2010 - 10:25 PM

OK. Kapersky's log is empty, so I'm assuming that the PC is clean.
Here is the MBAM log file:

Malwarebytes' Anti-Malware 1.44
Database version: 3864
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

3/13/2010 1:16:42 PM
mbam-log-2010-03-13 (13-16-42).txt

Scan type: Quick Scan
Objects scanned: 105374
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Kapersky ran for hours, no report, so as I said, I'm assuming no problems.
I'm thinking we are done, but let me know.
Thank you for all your help.



#9 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:05 PM

Posted 14 March 2010 - 09:42 AM

Hi mat58,

Congratulations! Your system appears to be malware free once again!

We just have a couple of things to take care of, then you should be good to go. smile.gif

STEP 1 - Clear Restore Points

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :Commands
    [CLEARALLRESTOREPOINTS]

  • Then click the Run Fix button at the top.
STEP 2 - Remove Tools

Run OTL
  • Click Clean Up in the upper right corner.
  • This will remove most if not all the tools we used while we were fixing your computer. Feel free to delete any others it leaves behind.
Now that you have a clean system, I would like to share with you some advice to help reduce the risk of future infection.

+++++++++++++++++++++++++++++++++++++++++++++++

I recommend that you install both of the following free programs if you haven''t already, as they can greatly increase the security of your system. It is not essential that you have these programs installed, but they do a very good job at preventing infection if your system is scanned regularly.+++++++++++++++++++++++++++++++++++++++++++++++

A good firewall is also useful for keeping a system infection free. You should only have ONE firewall installed on your computer - having more than one will not increase the security of your system. Here is a small list of some free firewallsAn antivirus program is also a program that should be installed on all computers. These will help reduce the risk that your computer gets infected by viruses or trojans in the future. Keep in mind that you only need ONE antivirus program installed on your computer. If you have more than one installed, they can often conflict and leave your system unprotected.Having up to date Antivirus and Firewall software is vital to keeping a healthy, infection free system

+++++++++++++++++++++++++++++++++++++++++++++++

To find out more information on how your system got infected, or how to protect yourself on the internet in the future, this article by Tony Klein provides some great information.

Good luck and safe surfing!

-mpascal

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#10 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:05 PM

Posted 14 March 2010 - 01:11 PM

Thank you for all your help!

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:05 AM

Posted 16 March 2010 - 12:17 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users