Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect Problem


  • This topic is locked This topic is locked
27 replies to this topic

#1 Tim0272

Tim0272

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 18 May 2010 - 06:48 PM

Thanks for the help in the other forum, Orange Blossom. I forgot I also ran RootkitBuster and HJT. I think I listed all the other programs I ran in the original post.

I will be away from this computer until Saturday, 22 May 10, and will accomplish any suggested troubleshooting then. Thanks in advance for the help.

Tim0272

-----

Original post from "Am I Infected" Forum topic (http://www.bleepingcomputer.com/forums/topic317422.html):

Hello,

Over the last three days, I have started to have problems with the links from search engine results taking me to various/random search engine sites and results I don't ask for. I have run Ad-aware, Malwarebytes Anti-malware, Spybot S&D, and McAfee Security Center (the anti-virus program I normally run) scans. Spybot S&D and MBAM both detected and fixed problems, but the random redirects continue to occur. I have now exceeded my own capabilities to get rid of this.

I am running Windows XP SP3 (with all updates, I believe) and get the problem when using Firefox 3.6.3 and IE 8.0.6001.18702. All attempts to do a system restore to a restore point from before the problem occurred, have also failed (after the reboot).

I was hoping to get some help in figuring this problem out.

Thanks,

Tim0272

-----

DDS.txt follows:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:51:32.28 on 18-May-10
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.406 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
d:\Glary Utilities\initialize.exe
svchost.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
d:\Cobian Backup 9\cbService.exe
d:\DiskeeperLite\DKService.exe
D:\Java\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
d:\CDBurnerXP\NMSAccessU.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.speedtv.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\java\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\micros~1\office12\EXCEL.EXE/3000
IE: {5F4A4622-8370-440e-88CC-CA2256D1A08A} - c:\windows\system32\cachepal.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - d:\ati multimedia\dtv\EXPLBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\default.x3a\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.apexspeed.com/forums/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\default.x3a\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\default.x3a\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: d:\adobe\reader\browser\nppdf32.dll
FF - plugin: d:\dbsign~1\lib\npDBsignWeb.dll
FF - plugin: d:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\divx plus web player\npdivx32.dll
FF - plugin: d:\divx\divx web player\npdivx32.dll
FF - plugin: d:\google\picasa3\npPicasa3.dll
FF - plugin: d:\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\java\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\java\bin\new_plugin\npjp2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-12 214664]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-28 353672]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-29 198184]
R2 CobianBackupAmanita;Cobian Backup 9 service;d:\cobian backup 9\cbService.exe [2008-5-24 583168]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-12 144704]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2004-7-16 62048]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-12 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-12 40552]
S2 0044181270251069mcinstcleanup;McAfee Application Installer Cleanup (0044181270251069);c:\windows\temp\004418~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\004418~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.cfxxe" exec /i "c:\combofix\hidec.exe" "c:\combofix\swreg.exe" acl "hkey_local_machine\system\currentcontrolset\enum\root\legacy_beep" /reset /q --> c:\combofix\PEV.cfxxe [?]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-24 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\ad-aware\AAWService.exe [2010-2-4 1291544]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-12 34248]

=============== Created Last 30 ================

2010-05-18 22:48:46 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-05-16 00:45:08 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-16 00:45:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-16 00:44:57 0 d-----w- c:\program files\Hitman Pro 3.5
2010-05-15 23:21:51 0 d-sha-r- C:\cmdcons
2010-05-15 23:17:39 98816 ----a-w- c:\windows\sed.exe
2010-05-15 23:17:39 77312 ----a-w- c:\windows\MBR.exe
2010-05-15 23:17:39 256512 ----a-w- c:\windows\PEV.exe
2010-05-15 23:17:39 161792 ----a-w- c:\windows\SWREG.exe
2010-05-15 20:50:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-15 20:50:21 0 d-----w- c:\program files\DivX
2010-05-15 20:49:49 0 d-----w- c:\docume~1\owner\applic~1\705867C627D0FFA73ABCD05054987E78
2010-05-15 19:55:21 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-05-15 19:48:18 0 d-----w- c:\windows\ERUNT
2010-05-15 14:34:44 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-05-15 14:34:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-15 13:12:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-15 05:11:56 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-05-14 23:16:38 0 d-----w- c:\docume~1\owner\applic~1\ATManager
2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-05-15 00:54:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-03 20:56:23 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-31 01:58:04 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 -c----w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 -c----w- c:\windows\system32\pxcpyi64.exe
2010-03-10 06:15:52 420352 ------w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-10-16 00:20:11 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-03 23:48:14 32768 -csh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 17:53:17.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:57 AM

Posted 19 May 2010 - 07:08 PM

Hello, Tim0272.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 19 May 2010 - 11:53 PM

aommaster,

Thanks for the reply. I will be away from the problem computer until Saturday, 22 May 10 and will run them then.

Would you please keep this topic open until then?

Thanks,

Tim0272

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:57 AM

Posted 20 May 2010 - 01:17 AM

Sure! No problem!

Thanks for giving me the heads up smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 May 2010 - 09:28 PM

aommaster,

I originally ran RSIT while McAfee was doing a system scan. I didn't know if it affected the logs at all, so I ran it again after the scan was finished, which is why there are different time stamps on the log and info files.

Log.txt

Logfile of random's system information tool 1.07 (written by random/random)
Run by Owner at 2010-05-22 19:59:36
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 9 GB (48%) free of 18 GB
Total RAM: 1023 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:59:48, on 22-May-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
d:\Cobian Backup 9\cbService.exe
d:\DiskeeperLite\DKService.exe
D:\Java\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
d:\CDBurnerXP\NMSAccessU.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Icons\Seticon.exe
C:\PROGRA~1\ACTIVI~1\ACTIVC~1\acsagent.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
D:\Mozilla Firefox\firefox.exe
D:\Downloaded Stuff\RSIT(2).exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speedtv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINDOWS\System32\cachepal.exe
O9 - Extra 'Tools' menuitem: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - C:\WINDOWS\System32\cachepal.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: x-owacid - {0215258F-F0A8-49DE-BF1B-0FF02EDA8807} - C:\Program Files\Microsoft\Outlook Web Access SMIME Client\mimectl.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0044181270251069) (0044181270251069mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\004418~1.EXE (file missing)
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cobian Backup 9 service (CobianBackupAmanita) - Luis Cobian - d:\Cobian Backup 9\cbService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - d:\DiskeeperLite\DKService.exe
O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Java\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - d:\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NMSAccessU - Unknown owner - d:\CDBurnerXP\NMSAccessU.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8306 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GlaryInitialize.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\ScanDefrag.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Java\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd []
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-07 30192]
"NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe [2001-07-09 155648]
"iTunesHelper"=D:\iTunes\iTunesHelper.exe [2010-02-15 141608]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-04-12 1135912]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
[]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll [2008-05-29 109568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2008-05-29 293888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoUserNameInStartMenu"=0x01000000
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoResolveSearch"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Microsoft Office\Office12\OUTLOOK.EXE"="D:\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\uTorrent\uTorrent.exe"="D:\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\iTunes\iTunes.exe"="D:\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\America Online 9.0\waol.exe"="D:\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-05-22 18:18:34 ----D---- C:\rsit
2010-05-15 19:45:00 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2010-05-15 19:44:57 ----D---- C:\Program Files\Hitman Pro 3.5
2010-05-15 18:21:57 ----A---- C:\Boot.bak
2010-05-15 18:21:51 ----RASHD---- C:\cmdcons
2010-05-15 18:17:39 ----A---- C:\WINDOWS\zip.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\SWSC.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\SWREG.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\sed.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\PEV.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\NIRCMD.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\MBR.exe
2010-05-15 18:17:39 ----A---- C:\WINDOWS\grep.exe
2010-05-15 18:16:52 ----D---- C:\WINDOWS\ERDNT
2010-05-15 15:50:38 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-15 15:50:21 ----D---- C:\Program Files\DivX
2010-05-15 15:49:49 ----D---- C:\Documents and Settings\Owner\Application Data\705867C627D0FFA73ABCD05054987E78
2010-05-15 14:48:18 ----D---- C:\WINDOWS\ERUNT
2010-05-15 09:34:44 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-05-15 09:34:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-05-15 08:12:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-15 00:11:56 ----D---- C:\Documents and Settings\All Users\Application Data\DivX
2010-05-14 18:16:38 ----D---- C:\Documents and Settings\Owner\Application Data\ATManager
2010-05-11 18:56:41 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-04-23 22:32:38 ----A---- C:\DVDPATH.TXT

======List of files/folders modified in the last 1 months======

2010-05-22 19:59:45 ----D---- C:\WINDOWS\Temp
2010-05-22 19:59:45 ----D---- C:\Program Files\Trend Micro
2010-05-22 19:59:44 ----D---- C:\WINDOWS\Prefetch
2010-05-22 19:57:20 ----D---- C:\WINDOWS\Internet Logs
2010-05-22 17:53:26 ----D---- C:\WINDOWS
2010-05-18 18:53:35 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-15 19:45:08 ----D---- C:\WINDOWS\system32\drivers
2010-05-15 19:44:57 ----RD---- C:\Program Files
2010-05-15 19:20:57 ----D---- C:\WINDOWS\system32
2010-05-15 19:20:34 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-15 19:07:42 ----SD---- C:\WINDOWS\Tasks
2010-05-15 18:21:58 ----RASH---- C:\boot.ini
2010-05-15 15:59:17 ----A---- C:\WINDOWS\win.ini
2010-05-15 15:59:17 ----A---- C:\WINDOWS\system.ini
2010-05-15 15:58:30 ----SHD---- C:\WINDOWS\Installer
2010-05-15 15:58:30 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-05-15 15:49:16 ----D---- C:\Program Files\Common Files\DivX Shared
2010-05-15 15:24:51 ----D---- C:\WINDOWS\system32\Restore
2010-05-15 14:55:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-05-15 14:46:28 ----D---- C:\Documents and Settings
2010-05-15 10:34:40 ----HDC---- C:\WINDOWS\$NtUninstallKB928255$
2010-05-15 00:17:50 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
2010-05-14 19:54:55 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-05-11 18:57:19 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-05-11 18:56:49 ----HD---- C:\WINDOWS\inf
2010-05-11 18:56:44 ----D---- C:\Program Files\Outlook Express
2010-05-11 18:53:52 ----HD---- C:\WINDOWS\$hf_mig$
2010-05-05 20:59:56 ----D---- C:\Documents and Settings\Owner\Application Data\Download Manager
2010-04-30 13:51:06 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ATI Remote Wonder II;ATI Remote Wonder II; C:\WINDOWS\system32\drivers\ATIRWVD.SYS [2003-12-15 257872]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
R3 ATIAVAIW;ATI T200 Unified AVStream service; C:\WINDOWS\system32\DRIVERS\atinavt2.sys [2006-12-05 168832]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 GKUPRO2D;GKUPRO2D; C:\WINDOWS\System32\Drivers\GKUPRO2D.sys [2004-07-16 62048]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-09-16 34248]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2004-10-22 53376]
R3 NVENET;NVIDIA nForce MCP Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENET.sys [2002-11-27 80896]
R3 nvnforce;Service for NVIDIA® nForce™ Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2004-10-22 413824]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 atinevxx;ATI WDM Rage Theater Video NSP; C:\WINDOWS\system32\DRIVERS\atinevxx.sys [2005-02-01 165888]
S3 atinrvxx;ATI WDM Rage Theater Video; C:\WINDOWS\System32\DRIVERS\atinrvxx.sys [2003-10-21 104960]
S3 ATITUNEP;ATI WDM TV Tuner; C:\WINDOWS\system32\DRIVERS\atineuxx.sys [2005-02-01 56320]
S3 ativraxx;ATI WDM Rage Theater Audio; C:\WINDOWS\System32\DRIVERS\atinraxx.sys [2005-02-01 55296]
S3 ATIXSAudio;ATI WDM TV Audio Crossbar; C:\WINDOWS\system32\DRIVERS\atinesxx.sys [2005-02-01 74240]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2005-05-12 1332544]
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:\WINDOWS\system32\DRIVERS\GcKernel.sys [2008-04-13 59136]
S3 grmnusb;grmnusb; C:\WINDOWS\system32\drivers\grmnusb.sys [2007-03-08 8320]
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-13 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINDOWS\System32\DRIVERS\atinmdxx.sys [2005-02-01 15360]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 PCDCODEC;ATI WDM Specialized PCD Codec; C:\WINDOWS\System32\DRIVERS\atinpdxx.sys [2005-02-01 14848]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2009-09-28 7168]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 accoca;ActivClient Middleware Service; C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2008-05-29 198184]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 CobianBackupAmanita;Cobian Backup 9 service; d:\Cobian Backup 9\cbService.exe [2009-01-22 583168]
R2 Diskeeper;Diskeeper; d:\DiskeeperLite\DKService.exe [2002-10-16 176128]
R2 JavaQuickStarterService;Java Quick Starter; D:\Java\bin\jqs.exe [2009-07-25 153376]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-10 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 NMSAccessU;NMSAccessU; d:\CDBurnerXP\NMSAccessU.exe [2009-09-06 71096]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-02-15 545576]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 0044181270251069mcinstcleanup;McAfee Application Installer Cleanup (0044181270251069); C:\WINDOWS\TEMP\004418~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe []
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-12-20 520192]
S2 PEVSystemStart;PEVSystemStart; C:\ComboFix\PEV.cfxxe EXEC /i C:\ComboFix\HIDEC.exe C:\ComboFix\SWREG.EXE ACL HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep /RESET /Q []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-07 30192]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-20 137200]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; d:\Ad-Aware\AAWService.exe [2010-05-14 1291544]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt

info.txt logfile of random's system information tool 1.06 2010-05-22 18:19:11

======Uninstall list======

-->C:\Documents and Settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent-->"d:\uTorrent\uTorrent.exe" /UNINSTALL
7-Zip 4.65-->"d:\7-Zip\Uninstall.exe"
ActivClient CAC 6.1 AFR-->MsiExec.exe /I{AC194855-F7AC-4D04-B4C9-07BA46FCB697}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 6.0-->C:\WINDOWS\ISUNINST.EXE -fd:\PShop\Uninst.isu -cd:\PShop\Uninst.dll
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Advanced SystemCare 3-->"d:\IObit\Advanced SystemCare 3\unins000.exe"
Apple Application Support-->MsiExec.exe /I{553255F3-78FD-40F1-A6F8-6882140265FE}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EF128055-9B10-4FF9-8500-5648CF8F899C}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Multimedia Center 9.16-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{3CBA0E30-6F54-47EF-910E-1D4D450AFE45}
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATI Parental Control & Encoder-->MsiExec.exe /I{8D70145A-3BD3-4DBF-9CBF-223EF4A43257}
ATI Remote Wonder 3.04-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8F36E44A-E6E7-41B7-B6F6-4637BF84EFA5}
AuthorScript Engine 1.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{752CA503-E29F-4610-A1A4-B21CDC58EF8D} /l1033
AVIVO Codecs-->MsiExec.exe /X{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CachePal Uninstall-->C:\WINDOWS\System32\uncachepal.exe
Calculator Powertoy for Windows XP-->MsiExec.exe /I{B37C842A-B624-46B8-A727-654E72F1C91A}
CDBurnerXP-->"d:\CDBurnerXP\unins000.exe"
C-Media WDM Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
Cobian Backup 9-->d:\Cobian Backup 9\cbUninstall.exe
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DAO-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
DBsign Web Signer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44D21B77-D4FC-49E8-A726-CD00D5016703}\Setup.exe" -l0x9
Defraggler (remove only)-->"D:\Defraggler\uninst.exe"
Diskeeper Lite-->MsiExec.exe /X{A3F60446-48FB-48A8-B5FC-BB3430AEF806}
DivX Converter-->C:\Documents and Settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe /CONVERTER
DivX Plus DirectShow Filters-->C:\Documents and Settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Setup-->C:\Documents and Settings\All Users\Application Data\DivX\Setup\DivXSetup.exe /uninstall /bundleGroupId divx.com
Garmin City Navigator North America v8-->MsiExec.exe /X{A75949C3-DC28-42CA-9C56-24C002B93D89}
Garmin Communicator Plugin-->MsiExec.exe /X{15F4085A-BC98-4590-AFFD-03BBBE49524E}
Garmin MapSource-->MsiExec.exe /X{58FA5D40-E35A-47ED-8AFA-68CCC758559E}
Garmin USB Drivers-->MsiExec.exe /X{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}
Garmin USB Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C24C3F25-CC7F-41D5-B03D-24F8059BABAD}\setup.exe" -l0x9 AddRemove
Garmin WebUpdater-->MsiExec.exe /X{E0783143-EAE2-4047-A8D6-E155523C594C}
Glary Utilities 2.21.0.863-->"d:\Glary Utilities\unins000.exe"
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
GUIDE PLUS+™ for Windows® System - ATI-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99D34763-7E45-4FE5-8424-28DBC3A5F0BF}\setup.exe"
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
iAPP CR-e500(CR-i500) Icons and Drivers-->MsiExec.exe /I{CF7049C6-C595-46E9-BED7-50F6A28ACB00}
Iomega Discovery Tool Home-->MsiExec.exe /X{088348F9-1E7B-4269-A6A2-621FEC00DBB7}
Iomega Product Registration-->MsiExec.exe /X{90FF23FE-0E1B-40DF-A22E-B4C0372E5936}
iPod for Windows 2006-01-10-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iPod Updater 2004-11-15-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1033
IrfanView (remove only)-->d:\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{81063354-9060-42B2-A000-1EBE96778AA9}
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
K-Lite Codec Pack 2.36 Full-->"d:\K-Lite Codec Pack\unins000.exe"
MapSource - Trip & Waypoint Manager v2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{A0F584A7-B0C2-4D90-9580-15456B9CF63C} /l1033
MapSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}\Setup.exe" -l0x9 AddRemove
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Outlook Web Access S/MIME (2007)-->MsiExec.exe /I{3C19B361-C9E5-4D9C-99AA-CF039CE7F96E}
Microsoft Outlook Web Access S/MIME-->MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Tool Web Package:WntIpcfg.exe-->MsiExec.exe /X{EA82FF50-E258-4DFE-839B-8F26A01A34A7}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
Mozilla Firefox (3.6.3)-->D:\Mozilla Firefox\uninstall\helper.exe
MSI Live Update 3-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MSI\Live Update 3\Uninst.isu"
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero - Burning Rom-->MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuaudio.exe UninstallGUI
Picasa 3-->"d:\Google\Picasa3\Uninstall.exe"
PrimoPDF Redistribution Package-->MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
PrimoPDF-->"C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:d:\activePDF\PrimoPDF\Uninstall\uninstall.xml"
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Remote Control USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8471021C-F529-43DE-84DF-3612E10F58C4}\setup.exe" -l0x9 -removeonly
Sansa Updater-->C:\Program Files\InstallShield Installation Information\{E2D7E05E-C8C7-45F4-8D89-D6696075E0B7}\setup.exe -runfromtemp -l0x0009 -removeonly
Savings Bond Wizard-->C:\WINDOWS\unvise32.exe d:\savings bond wizard\uninstal.log
Scott's Nixie Tube Clock v 1.1-->D:\SBNixClock\unins000.exe
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {667A88D1-0369-4070-A62A-70672D68A9BF}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {6DE3DABF-0203-426B-B330-7287D1003E86}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB980470)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {34573F17-DADE-4D0D-835F-A54A1DE8AC1F}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Encoder (KB954156)-->"C:\WINDOWS\$NtUninstallKB954156_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
TitanTV Client components for ATI-->MsiExec.exe /I{A3DD7BA6-37A6-4245-A167-B3AA137B2157}
Tweak UI-->"C:\WINDOWS\System32\mshta.exe" "res://C:\WINDOWS\System32\TweakUI.exe/uninstall.hta"
TweakGDS version 1.1.3-->"d:\TweakGDS\unins000.exe"
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for 2007 Microsoft Office System (KB981715)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {661B3F32-FFE4-4606-AE3A-DFA11DCC0D79}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Outlook 2007 Junk Email Filter (kb981726)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {2C69BACE-1151-41C0-8C8D-F6026D510BD4}
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 1.0.5-->e:\VLC\uninstall.exe
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)-->rundll32.exe C:\PROGRA~1\DIFX\15B7F172FC21855D\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\grmnusb_8E661E05CC789A6D1B8ABAA087CF60EDD72AC35D\grmnusb.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player 9 Series TweakMP PowerToy-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tweakmp.inf,DefaultUninstall
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip-->"d:\WinZip\WINZIP32.EXE" /uninstall
xImage-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31492759-0E89-46B5-9770-F6E5808E3017}\Setup.exe" -l0x9
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: McAfee VirusScan
FW: ZoneAlarm Firewall

======System event log======

Computer Name: HOME2
Event Code: 602
Message: WDM Reader driver initialization cannot open reader device: The system cannot find the path specified.

Record Number: 13
Source Name: SCardSvr
Time Written: 20100515192207.000000-300
Event Type: error
User:

Computer Name: HOME2
Event Code: 602
Message: WDM Reader driver initialization cannot open reader device: The system cannot find the path specified.

Record Number: 10
Source Name: SCardSvr
Time Written: 20100515191238.000000-300
Event Type: error
User:

Computer Name: HOME2
Event Code: 45062
Message: CRT invalid display type

Record Number: 9
Source Name: ati2mtag
Time Written: 20100515191236.000000-300
Event Type: error
User:

Computer Name: HOME2
Event Code: 602
Message: WDM Reader driver initialization cannot open reader device: The system cannot find the path specified.

Record Number: 5
Source Name: SCardSvr
Time Written: 20100515190120.000000-300
Event Type: error
User:

Computer Name: HOME2
Event Code: 45062
Message: CRT invalid display type

Record Number: 4
Source Name: ati2mtag
Time Written: 20100515190119.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: HOME2
Event Code: 1000
Message: Faulting application mmc.exe, version 5.2.3790.4136, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x0000ff56.

Record Number: 22813
Source Name: Application Error
Time Written: 20100305194103.000000-360
Event Type: error
User:

Computer Name: HOME2
Event Code: 1000
Message: Faulting application setup.exe, version 12.0.6425.1000, faulting module osetup.dll, version 12.0.6425.1000, fault address 0x0026e0a0.

Record Number: 22785
Source Name: Application Error
Time Written: 20100302202503.000000-360
Event Type: error
User:

Computer Name: HOME2
Event Code: 0
Message:
Record Number: 22695
Source Name: Lavasoft Ad-Aware Service
Time Written: 20100226233757.000000-360
Event Type: error
User:

Computer Name: HOME2
Event Code: 0
Message:
Record Number: 22694
Source Name: Lavasoft Ad-Aware Service
Time Written: 20100226233713.000000-360
Event Type: error
User:

Computer Name: HOME2
Event Code: 1517
Message: Windows saved user HOME2\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 22584
Source Name: Userenv
Time Written: 20100215214810.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;d:\DBSIGN~1\lib;D:\ActivCard\ActivCard Gold\resources;d:\DiskeeperLite;C:\Program Files\ATI Technologies\ATI Control Panel;d:\GTK\2.0\bin;C:\Program Files\Common Files\DivX Shared;C:\Program Files\ActivIdentity\ActivClient;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"DiskeeperIcon"=d:\DiskeeperLite\
"FP_NO_HOST_CHECK"=NO
"MOZ_PLUGIN_PATH"=d:\DBSIGN~1\lib;
"tvdumpflags"=8
"CLASSPATH"=.;D:\Java\lib\ext\QTJava.zip
"QTJAVA"=D:\Java\lib\ext\QTJava.zip

-----------------EOF-----------------

GMER.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-22 21:26:14
Windows 5.1.2600 Service Pack 3
Running: d5p2o483.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xBA6B5FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xBA6B2C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xBA6CD170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xBA6B6580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xBA6CA900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xBA6CAB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xBA6CEB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xBA6B6670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xBA6B3210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xBA6CD9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xBA6CD7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xBA6CA280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xBA6CDF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xBA6CDF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xBA6B3070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xBA6CC180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xBA6CBF40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xBA6CE6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xBA6CE150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xBA6B5BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xBA6CE540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xBA6B6190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xBA6B3440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xBA6CD4E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xBA6CB200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xBA6CB080]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xBA5958C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xBA5958AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBA5957C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xBA5958F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBA59580B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBA59579C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xBA59592D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xBA595899]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xBA595883]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xBA595774]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBA595760]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xBA5958DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBA5957DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBA5957B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [80, 65, 6B, BA, 00, A9, 6C, ...]
.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP BA5957B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP BA59580F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP BA595887 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP BA595764 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP BA595931 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP BA5958C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP BA5957A0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP BA5957E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP BA5957CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP BA5958B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP BA5958F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP BA595778 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP BA5958DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP BA59589D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\pci.sys entry point in ".rsrc" section [0xF77DD994]
? srescan.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF78E8A0C]
init C:\WINDOWS\System32\Drivers\GKUPRO2D.sys entry point in "init" section [0xF7240D70]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F66
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE005B
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE004A
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F8D
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F2E
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0076
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0EF1
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F02
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0ED6
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0F9E
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0000
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F4B
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0025
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F13
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD0FD1
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD0F94
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD0022
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD0011
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD0FAF
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0000
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0FC0
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\WINDOWS\System32\svchost.exe[616] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD003D
.text C:\WINDOWS\System32\svchost.exe[616] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0049
.text C:\WINDOWS\System32\svchost.exe[616] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0038
.text C:\WINDOWS\System32\svchost.exe[616] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC001D
.text C:\WINDOWS\System32\svchost.exe[616] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0FE3
.text C:\WINDOWS\System32\svchost.exe[616] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0FC8
.text C:\WINDOWS\System32\svchost.exe[616] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC000C
.text C:\WINDOWS\System32\svchost.exe[616] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[616] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\System32\svchost.exe[616] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CA0014
.text C:\WINDOWS\System32\svchost.exe[616] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CA002F
.text C:\WINDOWS\System32\svchost.exe[616] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01690000
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01690F9E
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01690089
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01690078
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01690FAF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01690047
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01690F66
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 016900AE
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016900E4
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01690F4B
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01690F30
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01690FCA
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0169001B
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01690F83
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01690FE5
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0169002C
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016900C9
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013D0047
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013D006C
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013D002C
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013D0011
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013D0FAF
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013D0000
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013D0FC0
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5D, 89]
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013D0FD1
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013C0F8B
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 013C0F9C
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013C0FD2
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013C0000
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013C0FB7
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013C0FE3
.text C:\WINDOWS\system32\services.exe[768] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 013A000A
.text C:\WINDOWS\system32\services.exe[768] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 013A0025
.text C:\WINDOWS\system32\services.exe[768] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 013A0036
.text C:\WINDOWS\system32\services.exe[768] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 013A0047
.text C:\WINDOWS\system32\services.exe[768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013B000A
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090FEF
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0109008C
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090F97
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090065
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090054
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01090025
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01090F72
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010900C4
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090F46
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010900DF
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01090F35
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01090FA8
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090FD4
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010900A7
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090FB9
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090014
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01090F61
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01080FCA
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01080F9E
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01080FE5
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01080011
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01080051
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01080FAF
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [28, 89]
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01080036
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01070042
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 01070FB7
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0107000C
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01070FEF
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0107001D
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01070FD2
.text C:\WINDOWS\system32\lsass.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\lsass.exe[780] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\lsass.exe[780] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\lsass.exe[780] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\lsass.exe[780] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01050FC3
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02620000
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02620F94
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02620FB9
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02620FCA
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02620FDB
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02620062
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02620F63
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026200B5
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026200EB
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02620F52
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02620106
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0262007D
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0262001B
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026200A4
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0262003D
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0262002C
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026200C6
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0261001B
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0261004A
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0261000A
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02610FDE
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02610F8D
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02610FEF
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02610F9E
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [81, 8A]
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02610FAF
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02600027
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!system 77C293C7 5 Bytes JMP 02600F9C
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02600FD2
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0260000C
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02600FAD
.text C:\WINDOWS\system32\svchost.exe[976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02600FE3
.text C:\WINDOWS\system32\svchost.exe[976] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 025E0FEF
.text C:\WINDOWS\system32\svchost.exe[976] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 025E000A
.text C:\WINDOWS\system32\svchost.exe[976] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 025E001B
.text C:\WINDOWS\system32\svchost.exe[976] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 025E0036
.text C:\WINDOWS\system32\svchost.exe[976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025F0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC006E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC005D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0F83
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0F9E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0FB9
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0095
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0F4D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00DC
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC00CB
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0F32
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0040
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0025
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0F5E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC00B0
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB0FDB
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0073
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB0022
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0011
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0062
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0FB6
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0FB7
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0FC8
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0027
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0038
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FE3
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C3000A
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C30F80
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C30075
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C30058
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C30047
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C30FC0
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C300AD
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C30F65
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C30F14
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C30F25
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C30F03
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C30FAF
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C3001B
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C30090
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C3002C
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C30FDB
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C30F40
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C10014
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C10058
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C10FC3
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C10FDE
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C10047
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C10FEF
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02C10036
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C10025
.text C:\WINDOWS\System32\svchost.exe[1188] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01C3000A
.text C:\WINDOWS\System32\svchost.exe[1188] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AE000A
.text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02C00FB7
.text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 02C00FC8
.text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02C00027
.text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02C00000
.text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02C00038
.text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02C00FEF
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02BE0FD4
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02BE0FC3
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02BE000A
.text C:\WINDOWS\System32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008F0069
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008F0F74
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F0058
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008F0047
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008F0025
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008F0F39
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008F008B
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008F00B0
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008F0F17
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008F00C1
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008F0036
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008F007A
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008F0FAF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008F0FCA
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008F0F28
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0FAF
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E004A
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FCA
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0FDB
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008E0F83
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008E0025
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008E0F9E
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D0FB0
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D003B
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D000C
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D0FC1
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D0FDE
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\svchost.exe[1264] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0025
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A0000A
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00076
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00065
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00F8B
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00FB2
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00040
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F4B
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00093
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F1F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A000AE
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000D3
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F5C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A0002F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F3A
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0F94
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0025
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0051
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0000
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F0040
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FC3
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0FA3
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0FBE
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FE3
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E002E
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E001D
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C001B
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F63
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40F74
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F91
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C4004E
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40FAC
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C4007A
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40F32
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C4009C
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F03
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40EF2
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C4003D
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40069
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40022
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FDB
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C4008B
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FB6
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30047
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30011
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F8A
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C3002C
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FA5
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20058
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20047
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20022
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FCD
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20011
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\svchost.exe[1452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01900FEF
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01900054
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01900F5F
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01900039
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01900F7C
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01900FA8
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0190007B
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01900F29
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01900EF6
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01900F07
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019000AA
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01900F8D
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01900FD4
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01900F3A
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01900FB9
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0190000A
.text C:\WINDOWS\Explorer.EXE[2004] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01900F18
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 018F0FC0
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 018F005F
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 018F001B
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 018F000A
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 018F004E
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 018F0FEF
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 018F003D
.text C:\WINDOWS\Explorer.EXE[2004] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 018F002C
.text C:\WINDOWS\Explorer.EXE[2004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018E0036
.text C:\WINDOWS\Explorer.EXE[2004] msvcrt.dll!system 77C293C7 5 Bytes JMP 018E0FB5
.text C:\WINDOWS\Explorer.EXE[2004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018E0000
.text C:\WINDOWS\Explorer.EXE[2004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018E0FEF
.text C:\WINDOWS\Explorer.EXE[2004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018E001B
.text C:\WINDOWS\Explorer.EXE[2004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018E0FC6
.text C:\WINDOWS\Explorer.EXE[2004] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 018C0FEF
.text C:\WINDOWS\Explorer.EXE[2004] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 018C0FDE
.text C:\WINDOWS\Explorer.EXE[2004] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 018C0014
.text C:\WINDOWS\Explorer.EXE[2004] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 018C0FC3
.text C:\WINDOWS\Explorer.EXE[2004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 018D0FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8669DCEC

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@NoPopUpsOnBoot 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pci.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by Tim0272, 22 May 2010 - 09:29 PM.


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:57 AM

Posted 22 May 2010 - 09:50 PM

Hello, Tim0272.
No problem. It's fine smile.gif

P2P Program Warning!

uTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




It appears that you have previous run Combofix. Please post up the results of the combofix log located at c:\Combofix.txt

Also, I would like to bring to your attention Combofix's disclaimer:
QUOTE
You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Running Combofix without a helper's instructions can render your computer unbootable. See this topic for more information on Combofix. If you are getting help elsewhere, let me know so we can avoid confusion.


In your next reply, please include the following:
  • Combofix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 24 May 2010 - 06:54 PM

Thanks for the article on P2P programs. I will take a look at it.

I originally ran Combofix before reading the warning. It never completed, and I don't see a combofix.txt file. About that time is when I registered to get some professional help.

Should I try it again?

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:57 AM

Posted 24 May 2010 - 07:45 PM

Hello, Tim0272.
Yes, however, I'd like you to download a new copy of combofix.

We need to download a fresh copy of Combofix
  1. Please download a fresh copy of ComboFix from one of these locations:
    Link 1
    Link 2

NEXT:

We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Double click on ComboFix.exe & follow the prompts.
  3. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  4. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  5. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  6. Click on Yes, to continue scanning for malware.
  7. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 24 May 2010 - 08:56 PM

aommaster,

I downloaded a fresh copy and disabled the McAfee Security Center and the Zone Alarm firewall.

Combofix does not finish its scan, however. It gets through the "preparing to scan" step and "backing up the registry", but when the autoscan portion starts, the message that states it is "scanning for infected files...it might take 10 minutes or longer for heavily infected computers" is displayed for about 30 seconds. Then, my computer re-boots every single time at this point.

Any thoughts on how to get Combofix to go through a full scan?

Tim0272

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:57 AM

Posted 24 May 2010 - 09:05 PM

Hello, Tim0272.
If combofix doesn't seem to be running, that's fine. We'll use other tools to remove the infection smile.gif

We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

In your next reply, please include the following:
  • TDSSKiller.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 24 May 2010 - 09:12 PM

TDSSKiller.txt

21:10:26:304 2412 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
21:10:26:304 2412 ================================================================================
21:10:26:304 2412 SystemInfo:

21:10:26:304 2412 OS Version: 5.1.2600 ServicePack: 3.0
21:10:26:304 2412 Product type: Workstation
21:10:26:304 2412 ComputerName: HOME2
21:10:26:304 2412 UserName: Owner
21:10:26:304 2412 Windows directory: C:\WINDOWS
21:10:26:304 2412 Processor architecture: Intel x86
21:10:26:304 2412 Number of processors: 1
21:10:26:304 2412 Page size: 0x1000
21:10:26:304 2412 Boot type: Normal boot
21:10:26:304 2412 ================================================================================
21:10:26:304 2412 UnloadDriverW: NtUnloadDriver error 2
21:10:26:304 2412 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
21:10:26:351 2412 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
21:10:26:351 2412 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:10:26:351 2412 wfopen_ex: Trying to KLMD file open
21:10:26:351 2412 wfopen_ex: File opened ok (Flags 2)
21:10:26:351 2412 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
21:10:26:351 2412 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:10:26:351 2412 wfopen_ex: Trying to KLMD file open
21:10:26:351 2412 wfopen_ex: File opened ok (Flags 2)
21:10:26:351 2412 KLAVA engine initialized
21:10:26:632 2412 Initialize success
21:10:26:632 2412
21:10:26:632 2412 Scanning Services ...
21:10:26:898 2412 Raw services enum returned 370 services
21:10:26:914 2412
21:10:26:914 2412 Scanning Drivers ...
21:10:27:179 2412 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:10:27:226 2412 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:10:27:289 2412 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:10:27:320 2412 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
21:10:27:414 2412 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
21:10:27:476 2412 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:10:27:539 2412 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:10:27:554 2412 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:10:27:601 2412 ATI Remote Wonder II (368be3db3a6b9621df51216d323cda23) C:\WINDOWS\system32\drivers\ATIRWVD.SYS
21:10:27:711 2412 ati2mtag (0c2ca1c294938139829b1983a0c38b31) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:10:27:820 2412 ATIAVAIW (e2096bd905d903b60df984e9a8ec658f) C:\WINDOWS\system32\DRIVERS\atinavt2.sys
21:10:27:882 2412 atinevxx (3a1e812f42e1729ca85abf2d756837d3) C:\WINDOWS\system32\DRIVERS\atinevxx.sys
21:10:27:929 2412 atinrvxx (cb72a63b707b16097a45c239b66f98ef) C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
21:10:27:976 2412 ATITUNEP (44ffb931299aceac200de96b33c7a594) C:\WINDOWS\system32\DRIVERS\atineuxx.sys
21:10:27:992 2412 ativraxx (b4650baa9910634b686dbfbb8a2dfc93) C:\WINDOWS\system32\DRIVERS\atinraxx.sys
21:10:28:039 2412 ATIXSAudio (03c6471cf14705990bc92fb31e3f3cb3) C:\WINDOWS\system32\DRIVERS\atinesxx.sys
21:10:28:101 2412 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:10:28:117 2412 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:10:28:148 2412 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:10:28:242 2412 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:10:28:289 2412 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:10:28:336 2412 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:10:28:367 2412 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:10:28:414 2412 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:10:28:492 2412 cmuda (e5adeef2c0db43964223f408f1fcc97e) C:\WINDOWS\system32\drivers\cmuda.sys
21:10:28:601 2412 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:10:28:695 2412 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:10:28:757 2412 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:10:28:789 2412 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:10:28:836 2412 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:10:28:867 2412 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:10:28:914 2412 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:10:28:945 2412 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:10:28:992 2412 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:10:29:023 2412 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:10:29:054 2412 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:10:29:070 2412 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:10:29:086 2412 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:10:29:132 2412 GcKernel (72fe2bea6863d4eb93442a1c4fb5ca48) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
21:10:29:164 2412 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:10:29:195 2412 GKUPRO2D (d5eccc6df4aa18a1e31fd71f6c15c8ec) C:\WINDOWS\system32\Drivers\GKUPRO2D.sys
21:10:29:242 2412 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:10:29:273 2412 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
21:10:29:351 2412 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
21:10:29:382 2412 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:10:29:445 2412 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:10:29:507 2412 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:10:29:539 2412 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:10:29:601 2412 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:10:29:632 2412 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:10:29:679 2412 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:10:29:711 2412 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:10:29:757 2412 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:10:29:789 2412 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:10:29:820 2412 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:10:29:851 2412 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:10:29:867 2412 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:10:29:929 2412 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:10:29:961 2412 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:10:30:007 2412 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
21:10:30:054 2412 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
21:10:30:117 2412 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
21:10:30:164 2412 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
21:10:30:195 2412 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
21:10:30:211 2412 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:10:30:257 2412 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:10:30:289 2412 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:10:30:336 2412 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:10:30:351 2412 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:10:30:382 2412 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
21:10:30:414 2412 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
21:10:30:461 2412 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:10:30:507 2412 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:10:30:554 2412 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:10:30:586 2412 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:10:30:617 2412 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:10:30:679 2412 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:10:30:742 2412 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:10:30:757 2412 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:10:30:789 2412 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
21:10:30:820 2412 MVDCODEC (266dda3309e41b2e28f718e050a7f558) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
21:10:30:867 2412 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:10:30:898 2412 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:10:30:945 2412 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:10:30:976 2412 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:10:31:023 2412 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:10:31:039 2412 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:10:31:070 2412 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
21:10:31:101 2412 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:10:31:132 2412 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:10:31:164 2412 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:10:31:195 2412 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:10:31:242 2412 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:10:31:289 2412 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:10:31:320 2412 nvax (c940418d48b98359e9ccbad695e5f530) C:\WINDOWS\system32\drivers\nvax.sys
21:10:31:398 2412 NVENET (c8400ca70bf8a30156487bf887886432) C:\WINDOWS\system32\DRIVERS\NVENET.sys
21:10:31:601 2412 nvnforce (b000a8b4946f786a56c7b020620b3a46) C:\WINDOWS\system32\drivers\nvapu.sys
21:10:31:679 2412 nv_agp (29291c3a7256337327051cc37e4fc09a) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
21:10:31:711 2412 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:10:31:742 2412 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:10:31:757 2412 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:10:31:789 2412 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:10:31:820 2412 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:10:31:851 2412 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:10:31:882 2412 PCDCODEC (c8ee71d399296b013085797694eb50af) C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
21:10:31:929 2412 PCI (9ccbf2fcaa85b7f68d1360c32676c3c8) C:\WINDOWS\system32\DRIVERS\pci.sys
21:10:31:929 2412 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 9ccbf2fcaa85b7f68d1360c32676c3c8, Fake md5: a219903ccf74233761d92bef471a07b1
21:10:31:929 2412 File "C:\WINDOWS\system32\DRIVERS\pci.sys" infected by TDSS rootkit ... 21:10:34:226 2412 Backup copy found, using it..
21:10:34:242 2412 will be cured on next reboot
21:10:34:320 2412 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:10:34:382 2412 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:10:34:476 2412 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:10:34:507 2412 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:10:34:539 2412 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:10:34:554 2412 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:10:34:586 2412 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
21:10:34:679 2412 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:10:34:711 2412 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:10:34:742 2412 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:10:34:757 2412 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:10:34:789 2412 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:10:34:804 2412 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:10:34:851 2412 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
21:10:34:898 2412 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:10:34:929 2412 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:10:34:961 2412 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:10:35:007 2412 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
21:10:35:039 2412 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:10:35:086 2412 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:10:35:132 2412 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:10:35:179 2412 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:10:35:257 2412 srescan (bb1cc49b817d2551eb321f4a9afb7d8c) C:\WINDOWS\system32\ZoneLabs\srescan.sys
21:10:35:336 2412 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
21:10:35:382 2412 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
21:10:35:414 2412 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:10:35:445 2412 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:10:35:492 2412 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:10:35:570 2412 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:10:35:617 2412 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:10:35:664 2412 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:10:35:679 2412 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:10:35:711 2412 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:10:35:757 2412 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:10:35:820 2412 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:10:35:867 2412 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
21:10:35:914 2412 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:10:35:961 2412 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:10:35:992 2412 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:10:36:054 2412 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:10:36:086 2412 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:10:36:117 2412 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:10:36:164 2412 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:10:36:211 2412 vsdatant (13a225a31f8d64a395373e9434d2d1ab) C:\WINDOWS\system32\vsdatant.sys
21:10:36:257 2412 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:10:36:289 2412 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
21:10:36:367 2412 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:10:36:398 2412 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
21:10:36:429 2412 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:10:36:461 2412 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:10:36:492 2412 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:10:36:492 2412 Reboot required for cure complete..
21:10:36:507 2412 Cure on reboot scheduled successfully
21:10:36:507 2412
21:10:36:507 2412 Completed
21:10:36:507 2412
21:10:36:507 2412 Results:
21:10:36:507 2412 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:10:36:507 2412 File objects infected / cured / cured on reboot: 1 / 0 / 1
21:10:36:507 2412
21:10:36:507 2412 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
21:10:36:507 2412 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
21:10:36:507 2412 UnloadDriverW: NtUnloadDriver error 1
21:10:36:507 2412 KLMD(ARK) unloaded successfully


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:57 AM

Posted 24 May 2010 - 09:13 PM

Looks like TDSSKiller got the infection. How's your computer doing? Still getting redirects? Please post up a fresh GMER log.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 24 May 2010 - 09:22 PM

aommaster,

Thanks! Looks like that solved it. Are there any special actions I need to do to remove any of the scanners?

Tim0272

#14 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 24 May 2010 - 09:29 PM

Also, GMER is running. I'll post the log when it finishes.

Tim0272

#15 Tim0272

Tim0272
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 24 May 2010 - 10:35 PM

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-24 22:34:27
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xBA6B5FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xBA6B2C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xBA6CD170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xBA6B6580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xBA6CA900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xBA6CAB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xBA6CEB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xBA6B6670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xBA6B3210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xBA6CD9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xBA6CD7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xBA6CA280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xBA6CDF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xBA6CDF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xBA6B3070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xBA6CC180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xBA6CBF40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xBA6CE6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xBA6CE150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xBA6B5BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xBA6CE540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xBA6B6190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xBA6B3440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xBA6CD4E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xBA6CB200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xBA6CB080]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xBA5958C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xBA5958AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBA5957C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xBA5958F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBA59580B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBA59579C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xBA59592D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xBA595899]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xBA595883]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xBA595774]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBA595760]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xBA5958DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBA5957DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBA5957B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [80, 65, 6B, BA, 00, A9, 6C, ...]
.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP BA5957B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP BA59580F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP BA595887 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP BA595764 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP BA595931 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP BA5958C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP BA5957A0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP BA5957E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP BA5957CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP BA5958B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP BA5958F5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP BA595778 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP BA5958DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP BA59589D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? klmdb.sys The system cannot find the file specified. !
? tsk2E.tmp The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF78F8A0C]
init C:\WINDOWS\System32\Drivers\GKUPRO2D.sys entry point in "init" section [0xF72A1D70]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F48
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0047
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F6D
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F8A
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA002C
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F12
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F2D
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0090
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA007F
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00A1
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FA5
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0011
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0058
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD1
.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F01
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930FAF
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930036
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930025
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FC0
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093006C
.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093005B
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F84
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920F95
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC1
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB0
.text C:\WINDOWS\System32\svchost.exe[308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FDE
.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0090001B
.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900040
.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900051
.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FE5
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01980FEF
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0198007D
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0198006C
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0198005B
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0198004A
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01980FB9
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01980F35
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01980F52
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01980F09
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 019800A2
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019800C7
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01980F9E
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01980014
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01980F6D
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0198002F
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01980FDE
.text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01980F1A
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01920036
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0192006C
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0192001B
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0192000A
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01920FB9
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01920FEF
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01920FCA
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B2, 89] {MOV DL, 0x89}
.text C:\WINDOWS\Explorer.EXE[688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01920047
.text C:\WINDOWS\Explorer.EXE[688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0191004E
.text C:\WINDOWS\Explorer.EXE[688] msvcrt.dll!system 77C293C7 5 Bytes JMP 01910FB9
.text C:\WINDOWS\Explorer.EXE[688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01910018
.text C:\WINDOWS\Explorer.EXE[688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01910FEF
.text C:\WINDOWS\Explorer.EXE[688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01910033
.text C:\WINDOWS\Explorer.EXE[688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01910FDE
.text C:\WINDOWS\Explorer.EXE[688] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 018F0000
.text C:\WINDOWS\Explorer.EXE[688] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 018F0FDB
.text C:\WINDOWS\Explorer.EXE[688] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 018F0FCA
.text C:\WINDOWS\Explorer.EXE[688] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 018F0025
.text C:\WINDOWS\Explorer.EXE[688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01900FE5
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF007F
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F8A
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F65
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00AB
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00FE
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00E3
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0119
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0062
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF00D2
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0047
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0033
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FA8
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0018
.text C:\WINDOWS\system32\services.exe[768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0093
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0076
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0F57
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F72
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0F35
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F46
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0F24
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0F83
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00BA
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0039
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0F7C
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EB0F97
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FA8
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA005F
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA004E
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0033
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F63
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F7E
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0058
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0FA5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC002C
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F2B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0073
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00A9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0098
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC00BA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0047
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0F48
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC0011
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC0F1A
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB0FDE
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0F94
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0025
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0F90
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0FAB
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA001B
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FC6
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD006C
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0F77
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0F94
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0FA5
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0047
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD0F4B
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0F5C
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD0F30
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD00BF
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD0F15
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0FC0
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD007D
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0036
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0025
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD00AE
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0FB6
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0036
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC0FDB
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0011
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0F79
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CC0F8A
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EC, 88]
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC0FA5
.text C:\WINDOWS\system32\svchost.exe[1052] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0081
.text C:\WINDOWS\system32\svchost.exe[1052] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0070
.text C:\WINDOWS\system32\svchost.exe[1052] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB003A
.text C:\WINDOWS\system32\svchost.exe[1052] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1052] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[1052] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB005F
.text C:\WINDOWS\system32\svchost.exe[1052] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\svchost.exe[1052] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02A00000
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02A00084
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02A00073
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02A00062
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02A00051
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02A00FAF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02A000B2
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02A000A1
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02A00F2A
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02A000CD
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02A00F19
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02A00040
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02A00011
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02A00F6A
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02A00FCA
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02A00FDB
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02A00F45
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 029F0FA8
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 029F0F75
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 029F0FB9
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 029F0FCA
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 029F0032
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 029F0FE5
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 029F0F86
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 8A]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 029F0F97
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02950FA1
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 02950022
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02950FBC
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02950000
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02950011
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02950FE3
.text C:\WINDOWS\System32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02940FE5
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D00000
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D00011
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D00FD1
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D00022
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F57
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F72
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065004C
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F8D
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650095
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0065006E
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500C8
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500B7
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650F14
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650FDB
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0065005D
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FAF
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650FC0
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006500A6
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640FC3
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640065
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0064004A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00640039
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FB2
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630FC8
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630049
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630FE3
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630038
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063001D
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770FEF
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770059
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770F64
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770048
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770F7F
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770FAB
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00770F36
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0077007E
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007700A3
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00770F0A
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00770EE5
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00770F90
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00770FDE
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00770F53
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00770FBC
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00770FCD
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00770F1B
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0076000A
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760F6F
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FB9
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FD4
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0076002C
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FE5
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0076001B
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760F94
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0075005A
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 0075003F
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0075002E
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750000
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750FD9
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0075001D
.text C:\WINDOWS\System32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0F43
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0042
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0025
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F68
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0F8D
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0070
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F28
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0EF2
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C0F03
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C009C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0053
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FC3
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C008B
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0F9E
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0043
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B001E
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0F7C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0F8D
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F90
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A001B
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FAB
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FC6
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2076] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A005B
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F77
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F94
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A008C
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F0E
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EE9
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0025
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A009D
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F8D
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDB
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029004A
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[2344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0050
.text C:\WINDOWS\System32\svchost.exe[2344] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E003F
.text C:\WINDOWS\System32\svchost.exe[2344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FD9
.text C:\WINDOWS\System32\svchost.exe[2344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[2344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E002E
.text C:\WINDOWS\System32\svchost.exe[2344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0011
.text C:\WINDOWS\System32\svchost.exe[2344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text D:\Mozilla Firefox\firefox.exe[3364] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 D:\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\PCI \Device\NTPNP_PCI0010 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0011 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0012 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0006 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0020 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0021 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0008 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0022 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0009 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0017 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0018 tsk2E.tmp
Device \Driver\PCI \Device\NTPNP_PCI0019 tsk2E.tmp
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@NoPopUpsOnBoot 1

---- EOF - GMER 1.0.15 ----





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users