Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Advanced Card Verification malware


  • This topic is locked This topic is locked
17 replies to this topic

#1 DAC95

DAC95

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 12 March 2010 - 08:07 PM

The computer freezes up all the time. Sometimes the computer freezes and is followed by a blue screen, other times there is a loud continuous beep from the machine. We also get the "Advanced Card Verification" popup message asking for credit card information when we are at any online purchasing site, which is why we think we have this particular infection. Outlook stopped working and IE seems especially prone to freezing so we have switched to Firefox which freezes less frequently.

The hard drive on this computer is shared with six other workstations at our office. This infected computer also has several different users who log on. I, the administrator, seem to have the most problems with the freezing, although other users have seen it too, and they all get the credit card verification popup.

Thanks in advance for any advice you can offer.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dorothy at 13:37:46.37 on Fri 03/12/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1220 [GMT -10:00]

AV: Total Protection for Small Business *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\program files\punchclock server3\punchclock server.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\hh.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\HtmlDlg.Exe
C:\Documents and Settings\Dorothy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/ig?hl=en&gl=us
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MVS Splash] c:\program files\mcafee\managed virusscan\agent\Splash.exe
mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
Trusted Zone: adp.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {563DF2AD-1EB7-4C84-8DA8-52A0A134E30E} - hxxp://www.icantek.com/support/oem/activex/icsview.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190943449812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195784528375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {8AC2991B-CB8F-417D-BB9A-039D398F1E54} = 24.25.227.15,66.75.160.15
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt4.7.0.777.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.1.35 HP002264EDA4A6

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dorothy\applic~1\mozilla\firefox\profiles\z60xmsil.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2009-2-12 144288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-31 213768]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2009-2-12 95776]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-12-31 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-12-31 175704]
R2 PunchClock Server;PunchClock Server;c:\program files\punchclock server3\PunchClock Server.exe [2007-10-29 3200416]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\storagecraft\shadowprotect\ShadowProtectSvc.exe [2009-2-12 1255968]
R2 SWAGENT;SonicWALL Agent Service;c:\program files\mcafee\managed virusscan\agent\swAgent.exe [2008-12-31 103744]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2007-9-27 2554648]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2009-2-12 70176]
R3 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2008-12-31 144704]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2008-12-31 79880]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2008-12-31 35272]
R3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-12-31 34216]

=============== Created Last 30 ================

2010-03-11 00:37:41 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-26 18:11:18 0 d-----w- c:\docume~1\dorothy\applic~1\Office Genuine Advantage
2010-02-22 20:37:14 0 d-----w- c:\docume~1\dorothy\applic~1\Malwarebytes
2010-02-22 20:37:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-10-10 02:00:50 608 --sha-w- c:\windows\system32\winzvprt5.sys
2008-07-15 01:28:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071420080715\index.dat

============= FINISH: 13:38:14.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 14 March 2010 - 01:35 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 16 March 2010 - 09:34 PM

Hi Elise,
Thank you for helping me. It took me a while, but I finally managed to run those scans. Here are the result.
Thanks again,
Dorothy

**QTL.TXT**

OTL logfile created on: 3/15/2010 3:47:33 PM - Run 1
OTL by OldTimer - Version 3.1.37.1 Folder = C:\Documents and Settings\Dorothy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 196.16 Gb Free Space | 84.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.88 Gb Total Space | 73.38 Gb Free Space | 31.51% Space Free | Partition Type: NTFS
Drive F: | 74.51 Gb Total Space | 52.80 Gb Free Space | 70.86% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIZOFFICE-PC
Current User Name: Dorothy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/15 12:53:49 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe
PRC - [2009/09/14 11:50:54 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
PRC - [2009/09/14 11:50:12 | 000,251,200 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
PRC - [2009/09/14 11:46:04 | 000,175,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
PRC - [2009/04/24 09:05:42 | 000,972,064 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2009/04/23 12:49:56 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/03/03 12:23:00 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
PRC - [2009/03/03 12:21:36 | 000,014,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
PRC - [2008/10/14 10:42:54 | 002,164,088 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
PRC - [2008/09/26 15:05:44 | 001,255,968 | ---- | M] (StorageCraft Technology Corporation) -- C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
PRC - [2008/09/26 15:05:24 | 000,070,176 | ---- | M] (StorageCraft Technology Corporation) -- C:\WINDOWS\system32\vsnapvss.exe
PRC - [2008/06/11 22:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/10 11:13:44 | 000,053,248 | ---- | M] (HP) -- C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
PRC - [2007/10/29 18:04:26 | 003,200,416 | ---- | M] (Smart Software Development) -- c:\Program Files\PunchClock Server3\PunchClock Server.exe
PRC - [2007/06/27 18:18:05 | 002,554,648 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/06/27 18:18:04 | 000,183,064 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/06/27 18:18:03 | 000,109,336 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe


========== Modules (SafeList) ==========

MOD - [2010/03/15 12:53:49 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/10 12:18:17 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/14 11:50:54 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe -- (SWAGENT)
SRV - [2009/09/14 11:46:04 | 000,175,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe -- (myAgtSvc)
SRV - [2009/04/23 12:49:56 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/03/03 12:23:00 | 000,144,704 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe -- (McShield)
SRV - [2009/03/03 12:21:36 | 000,014,144 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe -- (EngineServer)
SRV - [2008/10/14 10:42:54 | 002,164,088 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/09/26 15:05:44 | 001,255,968 | ---- | M] (StorageCraft Technology Corporation) [Auto | Running] -- C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe -- (ShadowProtectSvc)
SRV - [2008/09/26 15:05:24 | 000,070,176 | ---- | M] (StorageCraft Technology Corporation) [Auto | Running] -- C:\WINDOWS\system32\vsnapvss.exe -- (VSNAPVSS)
SRV - [2007/10/29 18:04:26 | 003,200,416 | ---- | M] (Smart Software Development) [Auto | Running] -- c:\Program Files\PunchClock Server3\PunchClock Server.exe -- (PunchClock Server)
SRV - [2007/06/27 18:18:05 | 002,554,648 | R--- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS) Intel®
SRV - [2007/06/27 18:18:04 | 000,183,064 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv) Intel®
SRV - [2007/06/27 18:18:03 | 000,109,336 | R--- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2007/05/24 07:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)


========== Driver Services (SafeList) ==========

DRV - [2009/03/03 12:24:42 | 000,055,208 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/03/03 12:24:24 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MfeRKDK.sys -- (MfeRKDK)
DRV - [2009/03/03 12:23:54 | 000,213,768 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/03/03 12:23:36 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MfeBOPK.sys -- (MfeBOPK)
DRV - [2009/03/03 12:23:30 | 000,079,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MfeAVFK.sys -- (MfeAVFK)
DRV - [2008/10/14 01:03:46 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vncmirror.sys -- (vncmirror)
DRV - [2008/09/26 15:05:28 | 000,144,288 | ---- | M] (StorageCraft Technology Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\stcvsm.sys -- (stcvsm)
DRV - [2008/09/26 15:05:28 | 000,095,776 | ---- | M] (StorageCraft Technology Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbmount.sys -- (sbmount)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/14 00:06:40 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/06/27 18:22:06 | 005,761,728 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/06/27 18:19:26 | 000,254,872 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/06/27 18:17:58 | 004,402,176 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/05/11 19:00:14 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en&gl=us
IE - HKU\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 46 7A 9F 74 9E 98 CA 01 [binary data]
IE - HKU\S-1-5-21-382767589-996564175-1379327750-1016\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/12 08:43:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/12 08:43:33 | 000,000,000 | ---D | M]

[2008/12/31 14:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\Mozilla\Extensions
[2010/03/15 12:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dorothy\Application Data\Mozilla\Firefox\Profiles\z60xmsil.default\extensions
[2010/01/29 08:56:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dorothy\Application Data\Mozilla\Firefox\Profiles\z60xmsil.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/12/31 14:22:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/07/06 09:23:23 | 000,000,816 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 iDBO.pdc.local # LMS GENERATED LINE
O1 - Hosts: 192.168.1.35 HP002264EDA4A6
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-382767589-996564175-1379327750-1016\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-382767589-996564175-1379327750-1016\..Trusted Domains: adp.com ([]https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB (Hewlett-Packard Printer Diagnostics)
O16 - DPF: {563DF2AD-1EB7-4C84-8DA8-52A0A134E30E} http://www.icantek.com/support/oem/activex/icsview.cab (IcsView Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1190943449812 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1195784528375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.7.0.777.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/Dorothy/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg
O24 - Desktop Components:1 () - file:///C:/DOCUME~1/Dorothy/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg
O24 - Desktop Components:2 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Dorothy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dorothy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/27 15:04:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/15 12:53:49 | 000,555,008 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe
[2010/03/15 12:29:09 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/03/12 08:48:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dorothy\My Documents\Downloads
[2010/03/10 14:37:41 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/02/26 08:11:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/02/26 08:11:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dorothy\Application Data\Office Genuine Advantage
[2010/02/26 08:10:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/02/26 08:10:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/02/26 08:10:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/02/26 08:10:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/02/26 08:10:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/02/26 08:10:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/02/26 08:10:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/02/22 10:37:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dorothy\Application Data\Malwarebytes
[2010/02/22 10:37:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/21 03:04:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/01/29 10:03:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/01/22 17:39:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2008/07/14 15:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/09/27 15:04:10 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/15 15:40:30 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D1CCFE5E-707C-482D-A124-47106FE3C3D1}.job
[2010/03/15 12:53:49 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dorothy\Desktop\OTL.exe
[2010/03/15 12:47:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/15 12:46:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/15 12:46:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/15 11:36:40 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Dorothy\NTUSER.DAT
[2010/03/15 11:35:57 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dorothy\ntuser.ini
[2010/03/12 09:59:39 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\dds.scr
[2010/03/12 09:17:19 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/12 09:16:04 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Dorothy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/10 08:32:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/08 10:58:29 | 000,039,858 | ---- | M] () -- C:\Documents and Settings\Dorothy\My Documents\030910.docx
[2010/02/26 08:23:42 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Dorothy\Desktop\WorkToDoList.xls
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/12 09:59:38 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Dorothy\Desktop\dds.scr
[2010/03/08 10:47:37 | 000,039,858 | ---- | C] () -- C:\Documents and Settings\Dorothy\My Documents\030910.docx
[2010/01/13 03:04:29 | 000,189,240 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/10/09 16:00:50 | 000,000,608 | -HS- | C] () -- C:\WINDOWS\System32\winzvprt5.sys
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/06 09:22:58 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2009/07/06 09:22:33 | 000,000,756 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2009/07/06 09:17:56 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/01/21 15:04:22 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/21 15:00:43 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Dorothy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/11 10:47:16 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/12/31 12:37:29 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/12/31 12:37:29 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2008/12/31 12:27:24 | 000,000,131 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2008/12/31 12:26:45 | 000,001,782 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/01/14 17:47:06 | 000,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2007/09/28 08:43:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/09/27 16:54:53 | 000,000,838 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.ini
[2007/09/27 15:15:56 | 000,204,800 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll
[2007/03/16 17:00:00 | 000,003,403 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2001/11/08 16:31:16 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\UIEScrty.dll
[1995/02/15 00:11:00 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\implode.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 196 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEC0D766
< End of report >

**EXTRAS.TXT**

OTL Extras logfile created on: 3/15/2010 3:47:33 PM - Run 1
OTL by OldTimer - Version 3.1.37.1 Folder = C:\Documents and Settings\Dorothy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 196.16 Gb Free Space | 84.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 232.88 Gb Total Space | 73.38 Gb Free Space | 31.51% Space Free | Partition Type: NTFS
Drive F: | 74.51 Gb Total Space | 52.80 Gb Free Space | 70.86% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIZOFFICE-PC
Current User Name: Dorothy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-382767589-996564175-1379327750-1016\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Scan Now] -- C:\PROGRA~1\McAfee\MANAGE~1\Agent\HtmlDlg.exe -Url="myui://ScanNow.htm" -ResDll="myScnUi.Eng" -Param="ScanObject,VT_BSTR,%1" (McAfee, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3425:TCP" = 3425:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5900:TCP" = 5900:TCP:*:Enabled:vnc
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"59152:UDP" = 59152:UDP:*:Enabled:SonicWALL Anti-Virus Compliance Port 59152
"59153:UDP" = 59153:UDP:*:Enabled:SonicWALL Anti-Virus Compliance Port 59153
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3425:TCP" = 3425:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- (McAfee, Inc.)
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)
"D:\setup\HPZNET01.EXE" = D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe -- File not found
"D:\setup\HPONICIFS01.EXE" = D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\hp laserjet m2727\hppfaxnc0.exe" = C:\Program Files\HP\hp laserjet m2727\hppfaxnc0.exe:*:Enabled:HP Networked Printer Installer -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A55CDBB-0566-4AA2-A15B-24C7F27C6FF4}" = BPD_Scan
"{138BD312-3557-40F8-BC5E-6DFF00A6880D}" = BPDSoftware_Ini
"{17E81C48-407E-499f-A105-1B49ACDB9BA4}" = ProductContext
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{360EC8D3-AA2E-42B4-AC52-FFA9A1C1C1E9}" = hppLJM2727
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{3A915D43-FD4F-4e4f-BEF7-B75C160B0236}" = HP LaserJet M2727 MFP Series 5.0
"{41B52574-B88C-4874-A63F-4BBFEC15ADC3}" = hpzTLBXFX
"{436C5CA6-8989-44E5-8685-873BFFDE51C5}" = hppFaxUtility
"{450D8966-293B-4801-B629-1F9984F8C690}" = hppTLBXFXM2727
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{4AE80E7B-6633-4046-9C15-D3B281C4F73D}" = BPDSoftware
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{56658AB0-483F-4CFB-9DA2-8A81AE13E7D0}" = ShadowProtect Desktop
"{5672A10E-1B21-4C2F-85D3-3542D0BC8246}" = hppscanM2727
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5BFE01FF-189F-4b75-8FA8-9B7CD7F9C529}" = L7500
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6DE9751D-3FFE-400E-8761-26A92DB734DE}" = BPD_HPSU
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7348BB49-4C22-40F1-AF63-33D4C24A831A}" = hppFaxDrvM2727
"{7729A02E-D1AD-4830-8FC5-11853500D90D}" = HP Officejet Pro All-In-One Series
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{8850DEC8-22FD-4F05-A3AA-49B91200C24F}" = ShadowProtect Desktop
"{88692886-BA60-4D18-BB76-F2488444B38C}" = hppSendFax
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C045626-4496-4238-B3B8-394CC6D46427}" = 7500_7600_7700_Help
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{93F54611-2701-454e-94AB-623F458D9E6B}" = DeviceDiscovery
"{99B366B0-76B6-4DBA-95A3-A730015A7D01}" = MasterCook Deluxe 9
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-1033-0000-7760-000000000004}" = Adobe Acrobat 9 Pro
"{AC76BA86-1033-0000-7760-000000000004}{AC76BA86-1033-0000-7760-000000000004}" = Adobe Acrobat 9 Pro
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B00690AD-B4F5-4730-9110-5C495B89E647}" = Scan
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BE66348A-E83F-4982-941F-DFF2F742B851}" = Microsoft Office Live Meeting 2007
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = BPDfax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D8AC1EB5-E8B0-44A0-B113-899407188A2F}" = hppFonts
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E0FA171C-0CB6-48CE-85A9-178D17398665}" = hppManualsM2727
"{EE16C679-262E-4A1D-A0C2-ED6A74697D39}" = hppScanTo
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"CCleaner" = CCleaner (remove only)
"CentraClient" = Centra Client
"CutePDF Writer Installation" = CutePDF Writer 2.7
"HDMI" = Intel® Graphics Media Accelerator Driver
"HECI" = Intel® Management Engine Interface
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"Icsview Control" = Icsview Control
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{99B366B0-76B6-4DBA-95A3-A730015A7D01}" = MasterCook Deluxe 9
"IrfanView" = IrfanView (remove only)
"MESOL" = Intel® Active Management Technology Device Software
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MVS" = McAfee Virus and Spyware Protection Service
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pdf995" = Pdf995
"PROHYBRIDR" = 2007 Microsoft Office system
"PunchClock Server3.11" = PunchClock Server
"RealVNC_is1" = VNC Enterprise Edition E4.4.3
"Time Bank ID0000018405" = Time Bank - HALE KUIKE LLC
"VNCMirror_is1" = VNC Mirror Driver 1.8.0
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/15/2010 5:51:09 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 5:51:09 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 6:47:01 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 6:47:01 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 6:47:01 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 6:47:01 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 6:47:19 PM | Computer Name = BIZOFFICE-PC | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/15/2010 8:26:01 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 8:26:01 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/15/2010 8:26:01 PM | Computer Name = BIZOFFICE-PC | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

[ OSession Events ]
Error - 1/26/2009 10:50:47 PM | Computer Name = BIZOFFICE-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 496
seconds with 480 seconds of active time. This session ended with a crash.

Error - 7/6/2009 4:58:47 PM | Computer Name = BIZOFFICE-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 145
seconds with 120 seconds of active time. This session ended with a crash.

Error - 9/4/2009 2:58:03 PM | Computer Name = BIZOFFICE-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 177
seconds with 120 seconds of active time. This session ended with a crash.

Error - 11/4/2009 3:47:16 PM | Computer Name = BIZOFFICE-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 688
seconds with 120 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/10/2010 7:29:52 PM | Computer Name = BIZOFFICE-PC | Source = DCOM | ID = 10010
Description = The server {44DC57FF-2F13-4FAD-8E19-D38EDFCE9F35} did not register
with DCOM within the required timeout.

Error - 3/10/2010 10:11:33 PM | Computer Name = BIZOFFICE-PC | Source = Print | ID = 6161
Description = The document GuidetoPreparingEeHdbk_2009Oct.pdf owned by Dorothy failed
to print on printer HP LaserJet M2727 MFP Series PCL 6. Data type: NT EMF 1.008.
Size of the spool file in bytes: 36641284. Number of bytes printed: 65560. Total
number of pages in the document: 189. Number of pages printed: 0. Client machine:
\\BIZOFFICE-PC. Win32 error code returned by the print processor: 259 (0x103).

Error - 3/11/2010 11:28:19 AM | Computer Name = BIZOFFICE-PC | Source = TermDD | ID = 655410
Description = The RDP protocol component X.224 detected an error in the protocol
stream and has disconnected the client.

Error - 3/13/2010 3:00:04 AM | Computer Name = BIZOFFICE-PC | Source = Service Control Manager | ID = 7031
Description = The COM+ System Application service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 3/13/2010 3:00:04 AM | Computer Name = BIZOFFICE-PC | Source = Service Control Manager | ID = 7034
Description = The MS Software Shadow Copy Provider service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/13/2010 3:00:04 AM | Computer Name = BIZOFFICE-PC | Source = Service Control Manager | ID = 7031
Description = The COM+ System Application service terminated unexpectedly. It has
done this 2 time(s). The following corrective action will be taken in 5000 milliseconds:
Restart the service.

Error - 3/13/2010 3:00:04 AM | Computer Name = BIZOFFICE-PC | Source = Service Control Manager | ID = 7034
Description = The MS Software Shadow Copy Provider service terminated unexpectedly.
It has done this 2 time(s).

Error - 3/13/2010 3:00:05 AM | Computer Name = BIZOFFICE-PC | Source = Service Control Manager | ID = 7034
Description = The COM+ System Application service terminated unexpectedly. It has
done this 3 time(s).

Error - 3/13/2010 3:00:11 AM | Computer Name = BIZOFFICE-PC | Source = Service Control Manager | ID = 7034
Description = The COM+ System Application service terminated unexpectedly. It has
done this 4 time(s).

Error - 3/13/2010 9:30:10 AM | Computer Name = BIZOFFICE-PC | Source = TermDD | ID = 655410
Description = The RDP protocol component X.224 detected an error in the protocol
stream and has disconnected the client.


< End of report >


**GMER.LOG**

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-16 16:19:08
Windows 5.1.2600 Service Pack 3
Running: rm65o23v.exe; Driver: C:\DOCUME~1\Dorothy\LOCALS~1\Temp\kxtoyuog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA88034BA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8803468]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA880347C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA88034FA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8803440]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8803454]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA88034CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA88034A6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8803492]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8803529]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8803510]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA88034E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP A88034E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A88034BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A88034FE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A8803514 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A88034D2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A8803444 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A8803458 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A8803496 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A8803480 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A880346C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A88034AA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A880352D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00740000
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00740087
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00740076
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00740F9C
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00740FB9
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00740040
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007400B5
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00740F6D
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007400FC
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007400E1
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00740117
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0074005B
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00740FE5
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00740098
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00740025
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00740FD4
.text C:\WINDOWS\System32\svchost.exe[208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007400C6
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00730014
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0073006F
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00730FB9
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00730FD4
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00730054
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00730FE5
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00730FA8
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [93, 88]
.text C:\WINDOWS\System32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00730025
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00720031
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!system 77C293C7 5 Bytes JMP 0072000C
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00720FB7
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00720FE3
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00720F9C
.text C:\WINDOWS\System32\svchost.exe[208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00720FD2
.text C:\WINDOWS\System32\svchost.exe[208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90000
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90F99
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90084
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90FAA
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90069
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90047
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A900D5
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A900C4
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A90112
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A900F7
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A90123
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A90058
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A9001B
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A900B3
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A9002C
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A900E6
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A80062
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A80025
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A80051
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A80000
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A80040
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70F97
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70FA8
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FCD
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70022
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FDE
.text C:\WINDOWS\System32\svchost.exe[260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A5000A
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A5002F
.text c:\program files\punchclock server3\punchclock server.exe[284] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02442862
.text c:\program files\punchclock server3\punchclock server.exe[284] WS2_32.dll!send 71AB4C27 5 Bytes JMP 024426EE
.text c:\program files\punchclock server3\punchclock server.exe[284] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 024427E0
.text c:\program files\punchclock server3\punchclock server.exe[284] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02442726
.text c:\program files\punchclock server3\punchclock server.exe[284] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0244275E
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[504] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F32862
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F326EE
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[504] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F327E0
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[504] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F32726
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[504] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F3275E
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00050F72
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00050071
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00050F97
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00050054
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00050FC3
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00050F3A
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00050082
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00050F29
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000500C2
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000500DD
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00050FA8
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00050F57
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000500A7
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03240FB9
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03240F7C
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03240FD4
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03240FE5
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03240F8D
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03240000
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0324002F
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03240FA8
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03230049
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 03230038
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0323001D
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03230000
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03230FC8
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_wopen 77C30055 3 Bytes JMP 03230FE3
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_wopen + 4 77C30059 1 Byte [8B]
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03020FEF
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 03010FE5
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 03010FD4
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 03010FC3
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0301001E
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F66
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0004005B
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F81
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040091
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040080
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F1D
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F2E
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400DB
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F55
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000400A2
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FD1
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F9B
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070022
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070058
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FB6
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F84
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F95
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FA6
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0073
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0F7E
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF0062
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0FAF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FCA
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF00B0
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0095
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF00DC
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF00CB
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0F32
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF0051
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0084
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF0036
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0025
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0F43
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02790FC0
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02790062
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0279001B
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02790FE5
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02790047
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02790000
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02790FA5
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [99, 8A]
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0279002C
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E2005A
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E20FCF
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E2002E
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E2000C
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E2003F
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E2001D
.text C:\WINDOWS\system32\svchost.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00E00000
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00E00FDB
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00E0001B
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00E00FCA
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC00D3
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC00AE
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0091
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0051
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0FAD
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC00FF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0146
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0121
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0F88
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC006C
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC00EE
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0110
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F00FA8
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F00065
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F00FC3
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [10, 89]
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F00040
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EF0FAD
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EF0038
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EF0FC8
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EF001D
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EF0FE3
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00ED0FE5
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00ED0011
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00ED0FC0
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60087
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60076
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60F92
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D6005B
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FAF
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F4B
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F5C
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600DA
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600C9
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600EB
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60040
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60011
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D60F6D
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FDB
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600AE
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FCD
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50FB2
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FDE
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50014
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50065
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50054
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50039
.text C:\WINDOWS\Explorer.EXE[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D3001B
.text C:\WINDOWS\Explorer.EXE[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30F9A
.text C:\WINDOWS\Explorer.EXE[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30FBC
.text C:\WINDOWS\Explorer.EXE[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30000
.text C:\WINDOWS\Explorer.EXE[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FAB
.text C:\WINDOWS\Explorer.EXE[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30FD7
.text C:\WINDOWS\Explorer.EXE[1260] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\Explorer.EXE[1260] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CA0000
.text C:\WINDOWS\Explorer.EXE[1260] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CA001B
.text C:\WINDOWS\Explorer.EXE[1260] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CA0FC0
.text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F42862
.text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F426EE
.text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F427E0
.text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F42726
.text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F4275E
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015E0FEF
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015E0F72
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015E0F8D
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015E0F9E
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015E005B
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015E0039
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015E009F
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015E0082
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015E0F17
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015E00B0
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015E0F06
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015E004A
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015E0FDE
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015E0F61
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015E001E
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015E0FC3
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015E0F3C
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04230FB6
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0423002C
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04230011
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04230000
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04230F6F
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04230FEF
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04230F8A
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [43, 8C]
.text C:\WINDOWS\System32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04230F9B
.text C:\WINDOWS\System32\svchost.exe[1276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 041E0FB7
.text C:\WINDOWS\System32\svchost.exe[1276] msvcrt.dll!system 77C293C7 5 Bytes JMP 041E0FC8
.text C:\WINDOWS\System32\svchost.exe[1276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 041E001D
.text C:\WINDOWS\System32\svchost.exe[1276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 041E0FEF
.text C:\WINDOWS\System32\svchost.exe[1276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 041E0038
.text C:\WINDOWS\System32\svchost.exe[1276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 041E000C
.text C:\WINDOWS\System32\svchost.exe[1276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01600000
.text C:\WINDOWS\System32\svchost.exe[1276] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 015F0000
.text C:\WINDOWS\System32\svchost.exe[1276] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 015F001B
.text C:\WINDOWS\System32\svchost.exe[1276] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 015F0FEF
.text C:\WINDOWS\System32\svchost.exe[1276] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 015F0040
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B20F92
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B20091
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20FAD
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B20FCA
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20051
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B200B3
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B200A2
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B200E9
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B200CE
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B200FA
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B2006C
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B20011
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B20F77
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B20036
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B20FE5
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B20F50
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60FC0
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B60058
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B60047
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B60FA5
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D6, 88]
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50F95
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50FA6
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50FD2
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50FB7
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00B30025
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00B30FD4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0071
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F7C
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F3C
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF008E
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00C1
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00B0
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00D2
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F8D
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F61
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF009F
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01040FA8
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01040014
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01040FC3
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01040FD4
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01040F57
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01040FEF
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01040F72
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [24, 89] {AND AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01040F8D
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01030F9C
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 01030FAD
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01030FD2
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0103000C
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0103001D
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01010011
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0101002C
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01010FE5
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1688] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BF2862
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1688] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BF26EE
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1688] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BF27E0
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1688] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BF2726
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1688] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BF275E
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80091
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80F9C
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F64
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D800B6
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D800C7
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D80F38
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D800D8
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80062
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80F8B
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\svchost.exe[1824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D80F49
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0033
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0F8A
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0022
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0F9B
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0FB6
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0FC7
.text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0F8B
.text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0F9C
.text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB000C
.text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FC1
.text C:\WINDOWS\system32\svchost.exe[1824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FD2
.text C:\WINDOWS\system32\svchost.exe[1824] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1824] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[1824] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[1824] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D90047
.text C:\WINDOWS\system32\svchost.exe[1824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90067
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F68
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F79
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90F8A
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F57
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B9009F
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900E6
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900CB
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90F3C
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90082
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B900BA
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB004A
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0038
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FAD
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA000C
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FE3
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0027
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FD2
.text C:\Program Files\Intel\AMT\LMS.exe[1948] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D62862
.text C:\Program Files\Intel\AMT\LMS.exe[1948] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D626EE
.text C:\Program Files\Intel\AMT\LMS.exe[1948] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D627E0
.text C:\Program Files\Intel\AMT\LMS.exe[1948] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D62726
.text C:\Program Files\Intel\AMT\LMS.exe[1948] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D6275E
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01472862
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] ws2_32.dll!send 71AB4C27 5 Bytes JMP 014726EE
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014727E0
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] ws2_32.dll!recv 71AB676F 5 Bytes JMP 01472726
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0147275E
.text C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe[2308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01202862
.text C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe[2308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012026EE
.text C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe[2308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012027E0
.text C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe[2308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01202726
.text C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe[2308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0120275E
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01170000
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0117005B
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01170F66
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01170F83
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01170040
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01170FB9
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011700A2
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01170087
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01170F13
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01170F24
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01170EF8
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01170F9E
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01170FE5
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0117006C
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01170FCA
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01170025
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01170F3F
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01160025
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01160FA5
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01160014
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01160FDE
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01160058
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01160FEF
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01160047
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01160036
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01150F6E
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!system 77C293C7 5 Bytes JMP 01150F89
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01150FB5
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01150FEF
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01150F9A
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01150FD2
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FE0047
.text C:\WINDOWS\system32\svchost.exe[2312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe[2392] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03A82862
.text C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe[2392] ws2_32.dll!send 71AB4C27 5 Bytes JMP 03A826EE
.text C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe[2392] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03A827E0
.text C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe[2392] ws2_32.dll!recv 71AB676F 5 Bytes JMP 03A82726
.text C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe[2392] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03A8275E
.text C:\WINDOWS\System32\vssvc.exe[2500] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AA2862
.text C:\WINDOWS\System32\vssvc.exe[2500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AA26EE
.text C:\WINDOWS\System32\vssvc.exe[2500] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AA27E0
.text C:\WINDOWS\System32\vssvc.exe[2500] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00AA2726
.text C:\WINDOWS\System32\vssvc.exe[2500] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AA275E
.text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01492862
.text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014926EE
.text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2572] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014927E0
.text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01492726
.text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2572] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0149275E
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2848] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 021C2862
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2848] WS2_32.dll!send 71AB4C27 5 Bytes JMP 021C26EE
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2848] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 021C27E0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2848] WS2_32.dll!recv 71AB676F 5 Bytes JMP 021C2726
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2848] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 021C275E
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018B2862
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ws2_32.dll!send 71AB4C27 5 Bytes JMP 018B26EE
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 018B27E0
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ws2_32.dll!recv 71AB676F 5 Bytes JMP 018B2726
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018B275E
.text C:\WINDOWS\system32\mmc.exe[3108] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C72862
.text C:\WINDOWS\system32\mmc.exe[3108] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C726EE
.text C:\WINDOWS\system32\mmc.exe[3108] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C727E0
.text C:\WINDOWS\system32\mmc.exe[3108] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C72726
.text C:\WINDOWS\system32\mmc.exe[3108] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C7275E
.text C:\WINDOWS\System32\alg.exe[3736] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C92862
.text C:\WINDOWS\System32\alg.exe[3736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C926EE
.text C:\WINDOWS\System32\alg.exe[3736] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C927E0
.text C:\WINDOWS\System32\alg.exe[3736] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C92726
.text C:\WINDOWS\System32\alg.exe[3736] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C9275E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3964] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [10021470] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [100214C0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [100213E0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [100213E0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [100213E0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [GDI32.dll!DeleteObject] [100202D0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [100213E0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [10021470] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [10021420] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor] [10020280] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [10020770] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW] [10020F40] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW] [10020940] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [100214C0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [GDI32.dll!DeleteObject] [100202D0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!GetModuleHandleA] [100214C0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryW] [100213E0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryExW] [10021470] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryExA] [10021420] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!AdjustWindowRectEx] [10021110] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!SystemParametersInfoA] [10021010] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!DefWindowProcA] [100208B0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetSysColor] [10020280] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!DefWindowProcW] [10020940] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!RegisterClassW] [10020F40] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetSysColorBrush] [10020310] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!FillRect] [100211D0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!DrawFrameControl] [10021280] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!DrawEdge] [10021230] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetScrollInfo] [10020540] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!CallWindowProcW] [10020770] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!SetScrollInfo] [10020410] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!DeleteObject] [100202D0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [100214C0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [10021420] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [10021470] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [100213E0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [100208B0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [10020940] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoA] [10021010] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [10020280] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [10020E70] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [10020F40] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [10020770] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [10020810] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA] [100214C0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [10020DC0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [100213A0] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT c:\program files\punchclock server3\punchclock server.exe[284] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [10021510] C:\PROGRA~1\PUNCHC~1\COMPON~1\CODEJO~1.OCX (Xtreme SkinFramework ActiveX Control Module/Codejock Software)
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 009C08E0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 009C05D0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 009B90C0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 009BA600
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 009BD770
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 009BB350
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 009BA930
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 009BCAB0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 009BFAB0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 009BFAF0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 009C0C30
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 009BF6A0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 009BD6D0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 009BBE70
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 009BB000
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 009BB8F0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 009C11B0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 009BCE00
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 009BD530
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 009BE160
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 009BDC40
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 009BE0E0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 009BEC00
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 009BE2D0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 009BACB0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 009BBD20
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 009BFBD0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 009BDD80
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 009BD670
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 009BD230
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 009BD880
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 009C0C50
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 009BDB80
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 009C0EF0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 009C0E90
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 009C10E0
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 009C1180
IAT C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[1956] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 009C0FB0

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\00000040 8A499CD8
Device \Driver\ACPI \Device\00000042 8A499CD8
Device \Driver\ACPI \Device\00000050 8A499CD8
Device \Driver\ACPI \Device\00000051 8A499CD8
Device \Driver\ACPI \Device\00000052 8A499CD8
Device \Driver\ACPI \Device\00000053 8A499CD8
Device \Driver\ACPI \Device\00000054 8A499CD8
Device \Driver\ACPI \Device\00000047 8A499CD8
Device \Driver\ACPI \Device\00000055 8A499CD8
Device \Driver\ACPI \Device\00000048 8A499CD8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\00000056 8A499CD8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\00000064 8A499CD8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\00000059 8A499CD8
Device \Driver\ACPI \Device\00000066 8A499CD8
Device \Driver\USBSTOR \Device\00000080 8A499CD8
Device \Driver\ACPI \Device\00000067 8A499CD8
Device \Driver\ACPI \Device\00000068 8A499CD8
Device \Driver\ACPI \Device\00000069 8A499CD8
Device \Driver\ACPI \Device\0000004e 8A499CD8
Device \Driver\ACPI \Device\0000005c 8A499CD8
Device \Driver\ACPI \Device\0000004f 8A499CD8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\ACPI \Device\0000006c 8A499CD8
Device \Driver\USBSTOR \Device\0000007a 8A499CD8
Device \Driver\ACPI \Device\0000006d 8A499CD8

AttachedDevice \FileSystem\Fastfat \Fat stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 17 March 2010 - 04:25 AM

Hello DAC95,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 March 2010 - 03:52 PM

Hi Elise,
I have attached the combofix.txt. I had a lot of trouble turning off the McAfee Total Protection for Small Business virus scanner, but I finally got it off to run the combofix.exe.
Thanks for your continued help,
Dorothy

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 17 March 2010 - 04:00 PM

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Edited by elise025, 17 March 2010 - 04:06 PM.
link fixed

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 March 2010 - 04:33 PM

Here is the log.
Dorothy

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 17 March 2010 - 04:40 PM

Hello, can you please re-run Combofix? Please paste the log directly into the reply box, do not attach it.

Also, let me know how everything is running now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 March 2010 - 04:58 PM

Elise,
I have noticed a couple things already. One is that it was way turning off the virus protection was very easy compared to the first time. The first time I had to rename the McAfee folder to make it not run. This time I was able to just stop it running under Computer Management. It seems a faster, but I will test it out thoroughly while you review the log. Here is the log.
Thanks,
Dorothy

ComboFix 10-03-17.01 - Dorothy 03/17/2010 11:50:52.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1508 [GMT -10:00]
Running from: c:\documents and settings\Dorothy\My Documents\Downloads\ComboFix.exe
AV: Total Protection for Small Business *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
.

((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 21:14 . 2010-03-17 21:14 -------- d-----w- C:\HelpAsst_backup
2010-03-15 22:29 . 2010-03-15 22:29 -------- d--h--w- c:\windows\PIF
2010-03-11 00:37 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-26 18:11 . 2010-02-26 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-26 18:11 . 2010-02-26 18:11 -------- d-----w- c:\documents and settings\Dorothy\Application Data\Office Genuine Advantage
2010-02-22 20:37 . 2010-02-22 20:37 -------- d-----w- c:\documents and settings\Dorothy\Application Data\Malwarebytes
2010-02-22 20:37 . 2010-02-22 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 21:29 . 2009-02-12 20:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-11 13:02 . 2008-12-29 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-04 23:30 . 2009-03-31 21:02 -------- d-----w- c:\program files\Timebank
2010-02-25 19:24 . 2009-01-29 19:46 3857 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2010-02-23 13:01 . 2008-04-02 21:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-16 02:02 . 2009-01-11 20:51 88824 ----a-w- c:\documents and settings\Kay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 23:06 . 2010-02-12 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-11 21:51 . 2009-07-07 19:37 88824 ----a-w- c:\documents and settings\Angela\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 23:30 . 2008-12-31 23:38 88824 ----a-w- c:\documents and settings\Dorothy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 22:18 . 2010-01-19 00:08 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-10 22:18 . 2010-02-10 22:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-08 21:48 . 2010-02-08 21:48 -------- d-----w- c:\program files\QuickTime
2010-01-25 20:18 . 2008-12-31 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-01-25 20:18 . 2008-12-31 22:37 59 ----a-w- c:\windows\wpd99.drv
2010-01-19 00:06 . 2009-01-22 00:58 -------- d-----w- c:\program files\Google
2010-01-13 13:04 . 2010-01-13 13:04 189240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-05 10:00 . 2004-08-04 10:56 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-12-02 18:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:56 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 09:14 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-10-10 02:00 . 2009-10-10 02:00 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-08 417792]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2007-06-28 04:17 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk]
2007-06-28 04:18 404248 ----a-r- c:\program files\Intel\AMT\atchk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 15:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-06-28 04:21 162584 ----a-r- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 12:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-28 04:22 142104 ----a-r- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 21:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-28 04:21 138008 ----a-r- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 05:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-06-28 04:17 16132608 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 14:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\hp laserjet m2727\\hppfaxnc0.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc
"59152:UDP"= 59152:UDP:SonicWALL Anti-Virus Compliance Port 59152
"59153:UDP"= 59153:UDP:SonicWALL Anti-Virus Compliance Port 59153

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2/12/2009 10:11 AM 144288]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2/12/2009 10:11 AM 95776]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [12/31/2008 11:40 AM 14144]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [2/12/2009 10:11 AM 1255968]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [9/27/2007 3:23 PM 2554648]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2/12/2009 10:11 AM 70176]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [12/31/2008 11:37 AM 175704]
S2 SWAGENT;SonicWALL Agent Service;c:\program files\McAfee\Managed VirusScan\Agent\swAgent.exe [12/31/2008 11:40 AM 103744]
S4 PunchClock Server;PunchClock Server;c:\program files\PunchClock Server3\PunchClock Server.exe [10/29/2007 6:02 PM 3200416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\User_Feed_Synchronization-{D1CCFE5E-707C-482D-A124-47106FE3C3D1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 04:36]
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.adp.com/public/index.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: adp.com
TCP: {8AC2991B-CB8F-417D-BB9A-039D398F1E54} = 24.25.227.15,66.75.160.15
FF - ProfilePath - c:\documents and settings\Dorothy\Application Data\Mozilla\Firefox\Profiles\z60xmsil.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/forums/index.php?showtopic=302225&st=0&gopid=1677264&#entry1677264
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 11:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-17 11:55:37
ComboFix-quarantined-files.txt 2010-03-17 21:55

Pre-Run: 210,212,835,328 bytes free
Post-Run: 210,245,816,320 bytes free

- - End Of File - - 4D56B91E946804B5A72A00011D497504


#10 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 March 2010 - 05:08 PM

Just noticed that Outlook still will not start...could that be a separate problem?

When I try to open Outlook: "Cannot start Microsoft Office Outlook. Cannot open the Outlook window."

#11 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 March 2010 - 05:41 PM

I searched online and I fixed my Outlook with Run: Outlook.exe /resetnavpane

Yipee!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 18 March 2010 - 02:51 AM

Hello Dorothy,

Looking a lot better indeed, the MBR rootkit is gone smile.gif

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 March 2010 - 05:18 PM

Elise,
I updated Java. Here is the mbam log below. I wanted to ask your advice about how I should proceed with the rest of the computers in my office. Mine was the only one exhibiting those specific symptoms. Should I run the same scans on those computers? Thank you, Dorothy

Malwarebytes' Anti-Malware 1.44
Database version: 3883
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/18/2010 12:14:48 PM
mbam-log-2010-03-18 (12-14-48).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|Z:\|)
Objects scanned: 395910
Time elapsed: 1 hour(s), 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 19 March 2010 - 04:01 AM

Hi Dorothy,

You can try MBAM on the other computers, however do not use Combofix unsupervised. Its a very powerful tool that can easily cause damage on your system. Are the computers on a network or do they only use the same internet connection? If they are on a network, its quite possible stuff has spread, but this chance is smaller if they only share an internet connection (however, its not impossible).

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 DAC95

DAC95
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 22 March 2010 - 04:28 PM

I did it and no threats were found. As to our other computers, we share an internet connection and they all share my computer as a shared drive. We do not have a proper file server. Do you recommend my running ESET in addition to MBAM on them?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users