Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake-Alert last known malware, now limited PC functionality


  • This topic is locked This topic is locked
9 replies to this topic

#1 1_hoss

1_hoss

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 22 May 2010 - 02:03 PM

I thought McAfee had quarantined and solved a Fake-Alert trojan, but some days later after a reboot while trying to install AdAWare, Windows booted with no access to sound card, McAfee unable to scan and operate properly, and with the networking function unable to make an IP connection to FiOS. There may be other such problems I haven't seen, in addition to the immediately obvious general strangeness -- new desktop background color, alternate font in taskbar.

When I first ran GMER, I accidentally had the C:/ drive un-checked. I saved this log. When I ran it a second time, this time with C:/ checked, the scan crashed and I got a PFN_LIST_CORRUPT blue screen, with the error STOP:0x0000004E. The PC rebooted afterwards. But I did not try to scan again. So the GMER log is of the first scan I performed.



DDS (Ver_10-03-17.01) - NTFSx86
Run by 1_hoss at 11:55:47.17 on Sat 05/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.603 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Kim and Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114
uSearch Bar =
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100427192005.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Virtual PDF Printer] c:\program files\virtual pdf printer\VirtualPDFPrinter.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\kimand~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\kim and mike\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kimand~1\applic~1\mozilla\firefox\profiles\3bfns8dc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?rls=ig
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\kim and mike\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-18 385536]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-17 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-17 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-17 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-17 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-18 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-18 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-17 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-17 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-17 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-17 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-18 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-18 40552]

=============== Created Last 30 ================

2010-05-22 06:37:27 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-04-14 16:29:58 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-14 16:29:58 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-14 16:29:58 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-14 16:29:58 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-14 16:29:58 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-14 16:29:58 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-14 16:29:58 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-14 16:29:58 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-14 16:29:58 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-14 16:29:58 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-09 00:52:46 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2003-09-16 05:19:48 99544 ----a-w- c:\windows\inf\virprn.exe
2003-09-16 05:19:48 18950 ----a-w- c:\windows\inf\virpntd.dll
2003-09-16 05:19:48 10240 ----a-w- c:\windows\inf\virport.dll
2003-09-16 05:19:46 90624 ----a-w- c:\windows\inf\prtproc.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-10-15 16:37:23 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-19 14:40:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 11:57:25.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:22 AM

Posted 25 May 2010 - 05:33 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 1_hoss

1_hoss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 25 May 2010 - 01:35 PM

Thank you for replying, Elise!!! Note: gmer scan was able to complete this time.


OTL logfile created on: 5/25/2010 12:48:57 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Kim and Mike\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 624.00 Mb Available Physical Memory | 62.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 3.31 Gb Free Space | 4.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.94 Gb Total Space | 0.02 Gb Free Space | 0.98% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MYPC
Current User Name: Kim and Mike
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/25 11:52:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kim and Mike\Desktop\OTL.exe
PRC - [2010/04/14 12:29:58 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/04/14 12:29:58 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/04/01 23:05:04 | 001,180,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/15 12:36:12 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/05 13:22:16 | 000,221,184 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
PRC - [2006/11/05 12:55:48 | 000,010,752 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
PRC - [2006/10/20 19:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2006/10/03 13:37:04 | 000,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2006/08/17 11:00:00 | 001,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe


========== Modules (SafeList) ==========

MOD - [2010/05/25 11:52:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kim and Mike\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 12:29:58 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/14 12:29:58 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/03/10 11:16:56 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2007/10/11 11:49:46 | 000,076,016 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe -- (DellAMBrokerService)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 12:29:58 | 000,385,536 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/14 12:29:58 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/14 12:29:58 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/14 12:29:58 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/14 12:29:58 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/14 12:29:58 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/14 12:29:58 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/14 12:29:58 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/14 12:29:58 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/14 12:29:58 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/08/23 20:29:10 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\datunidr.sys -- (datunidr)
DRV - [2007/06/26 16:06:20 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/06/13 22:41:44 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/06/13 21:25:14 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/06/13 21:21:16 | 005,760,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/10/05 18:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys -- (PTproct)
DRV - [2006/08/18 15:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 15:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 15:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 15:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 15:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 15:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 15:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 15:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 13:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 12:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 12:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 13:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2004/08/04 00:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/17 16:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 16:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 16:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 16:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 16:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 15:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 15:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 15:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 15:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 15:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 15:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 15:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 15:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 15:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 15:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080114
IE - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/webhp?rls=ig"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.2
FF - prefs.js..extensions.enabledItems: googlesharing@extension.thoughtcrime.org:0.17
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.%(version)s
FF - prefs.js..extensions.enabledItems: {3205B348-523A-4fac-9BC4-9939CBF583B0}:2.1.2
FF - prefs.js..extensions.enabledItems: paypalfirefoxplugin@orbiscom:2.2.26.0
FF - prefs.js..extensions.enabledItems: {b2509cd4-17cd-45ed-8146-a82af038f493}:1.38
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\paypalfirefoxplugin@orbiscom: C:\Program Files\PayPal\PayPal Plug-In [2009/09/18 00:59:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/21 18:04:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/22 02:34:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/13 20:04:34 | 000,000,000 | ---D | M]

[2008/06/27 17:48:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Extensions
[2010/05/22 02:37:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions
[2010/01/06 15:44:09 | 000,000,000 | ---D | M] (Old Location Bar) -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
[2010/02/19 15:46:30 | 000,000,000 | ---D | M] (Power Twitter) -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\{b2509cd4-17cd-45ed-8146-a82af038f493}
[2010/03/23 19:43:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/04/03 02:09:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\googlesharing@extension.thoughtcrime.org
[2010/03/29 00:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\SkipScreen@SkipScreen
[2010/04/03 02:09:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\googlesharing@extension.thoughtcrime.org\chrome
[2010/04/03 02:09:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\googlesharing@extension.thoughtcrime.org\components
[2010/04/03 02:09:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\extensions\googlesharing@extension.thoughtcrime.org\defaults
[2008/01/18 15:57:13 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Kim and Mike\Application Data\Mozilla\Firefox\Profiles\3bfns8dc.default\searchplugins\siteadvisor.xml
[2010/05/22 02:37:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/14 12:29:58 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2008/11/12 19:58:56 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100427192005.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (OToolbarHelper Class) - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (PayPal Plug-In) - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Virtual PDF Printer] C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe File not found
O4 - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe File not found
O4 - Startup: C:\Documents and Settings\Kim and Mike\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Kim and Mike\Application Data\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1218255451-2204578224-1837552165-1006\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfios.verizon.net/sdcCommo...20Installer.cab (Support.com Configuration Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.242.0.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help - No CLSID value found
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/25 12:48:19 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kim and Mike\Desktop\OTL.exe
[2010/05/20 21:49:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[70 C:\*.tmp files -> C:\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/25 12:45:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/25 12:45:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/25 12:45:43 | 1062,387,712 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/25 11:54:06 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Kim and Mike\Desktop\ul3z7oug.exe
[2010/05/25 11:52:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kim and Mike\Desktop\OTL.exe
[2010/05/22 18:15:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/22 13:25:29 | 016,195,584 | ---- | M] () -- C:\Documents and Settings\Kim and Mike\ntuser.dat
[2010/05/22 13:25:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Kim and Mike\ntuser.ini
[2010/05/22 13:25:27 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Kim and Mike\Local Settings\Application Data\IconCache.db
[2010/05/01 02:13:48 | 000,235,008 | ---- | M] () -- C:\Documents and Settings\Kim and Mike\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/29 09:13:42 | 000,018,156 | ---- | M] () -- C:\Documents and Settings\Kim and Mike\My Documents\myers on midcult.docx
[2010/04/28 23:35:07 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Kim and Mike\Desktop\Microsoft Word.lnk
[70 C:\*.tmp files -> C:\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/25 12:48:19 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Kim and Mike\Desktop\ul3z7oug.exe
[2010/05/01 10:20:03 | 016,195,584 | ---- | C] () -- C:\Documents and Settings\Kim and Mike\ntuser.dat
[2010/04/28 23:39:56 | 000,018,156 | ---- | C] () -- C:\Documents and Settings\Kim and Mike\My Documents\myers on midcult.docx
[2009/09/02 15:18:14 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\virport.dll
[2009/03/31 16:15:00 | 000,000,020 | ---- | C] () -- C:\WINDOWS\crackpdf.INI
[2008/07/06 15:12:45 | 000,408,576 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2008/07/06 15:12:42 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008/07/06 15:11:32 | 000,027,648 | -HS- | C] () -- C:\WINDOWS\System32\Smab0.dll
[2008/05/12 18:36:35 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2008/04/02 16:02:49 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/04/02 16:02:42 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/04/02 16:02:42 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/04/02 16:02:42 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/04/02 16:02:41 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/04/02 16:02:41 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/01/14 13:42:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/01/14 13:38:05 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/01/14 13:38:05 | 000,000,118 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/01/14 13:16:36 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/01/14 13:15:33 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/11/07 06:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/17 01:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/17 01:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2004/08/10 15:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 15:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794
< End of report >








OTL Extras logfile created on: 5/25/2010 12:48:57 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Kim and Mike\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 624.00 Mb Available Physical Memory | 62.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 3.31 Gb Free Space | 4.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.94 Gb Total Space | 0.02 Gb Free Space | 0.98% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MYPC
Current User Name: Kim and Mike
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-1218255451-2204578224-1837552165-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"9051:UDP" = 9051:UDP:LocalSubNet:Enabled:Verizon Tech Wizard

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Kim and Mike\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Kim and Mike\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- ()
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = QualxServ Service Agreement
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2266312B-3502-41EE-82CD-8DC62276D87B}" = Vz In Home Agent
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 18
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{72EF21F6-6DF7-C5C5-3AEA-1C8F52E0AADD}" = Seesmic Desktop
"{73317C31-2B6E-4B88-9865-B97C1331A39D}" = PayPal Plug-In
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.8.0
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A6B90148-02C5-4fd3-8D7A-EF2386835CB9}" = F4100_Help
"{A6C265BE-E2C1-483e-843D-6B4C1E912AE0}" = F4100
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.2
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B4509BCE-7BAD-4a8c-B1AE-4D0CE7467C42}" = F4100_doccd
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{C894366E-51C4-4162-BA82-ECBEFC1C2C61}" = PayPal Plug-In
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CA50045C-5119-48e7-9BA7-6B317379857A}" = DJ_AIO_Software
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E46B2F8A-6CCD-4949-871D-F9664F2113AB}" = PayPal Plug-In
"{E548726E-F4E8-459f-BAB8-45551BC071E9}" = DJ_AIO_ProductContext
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{FA8A44D7-3E8A-4034-9C4F-088FA6B72BC4}" = HP Deskjet All-In-One Software 9.0
"{FE34691C-4298-4667-9758-D7F534DD0B94}" = Dell Automated PC TuneUp
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"CDisplay_is1" = CDisplay 1.8
"com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1" = Seesmic Desktop
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"FLAC" = FLAC 1.2.1b (remove only)
"Free FLV Converter_is1" = Free FLV Converter V 6.7.6
"Free RM to MP3 Converter_is1" = Free RM to MP3 Converter 1.12
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 3.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"IrfanView" = IrfanView (remove only)
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.8.5 Full
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Monkey's Audio_is1" = Monkey's Audio
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSC" = McAfee AntiVirus Plus
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROPLUSR" = Microsoft Office Professional Plus 2007
"RadLight MPC DirectShow Filter" = RadLight MPC DirectShow Filter (remove only)
"RealPlayer 12.0" = RealPlayer
"SUPER " = SUPER Version 2008.bld.30 (Mar 22, 2008)
"Unlocker" = Unlocker 1.8.8
"Verizon FiOS Activation_is1" = Verizon FiOS Activation
"Weather Services" = Weather Services
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.5
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD" = XviD MPEG-4 Codec

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1218255451-2204578224-1837552165-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Move Media Player" = Move Media Player
"QUICKMEDIACONVERTER" = Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/22/2010 1:41:00 PM | Computer Name = MYPC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 3

Error - 5/22/2010 1:44:18 PM | Computer Name = MYPC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 3

Error - 5/25/2010 12:45:57 PM | Computer Name = MYPC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 3

Error - 5/25/2010 12:47:27 PM | Computer Name = MYPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 5/25/2010 12:47:27 PM | Computer Name = MYPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/25/2010 12:47:27 PM | Computer Name = MYPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/25/2010 12:47:27 PM | Computer Name = MYPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 5/25/2010 12:47:28 PM | Computer Name = MYPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 5/25/2010 12:47:28 PM | Computer Name = MYPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 5/25/2010 12:47:28 PM | Computer Name = MYPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

[ OSession Events ]
Error - 7/16/2009 8:05:10 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:05:14 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:05:18 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:05:22 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:05:27 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:05:34 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:06:02 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 15
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:06:10 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:06:23 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 8:06:36 PM | Computer Name = MYPC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 8
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 5/25/2010 12:45:57 PM | Computer Name = MYPC | Source = Service Control Manager | ID = 7000
Description = The Network Connections service failed to start due to the following
error: %%1053

Error - 5/25/2010 12:45:57 PM | Computer Name = MYPC | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Secondary Logon service
to connect.

Error - 5/25/2010 12:45:57 PM | Computer Name = MYPC | Source = Service Control Manager | ID = 7001
Description = The System Event Notification service depends on the COM+ Event System
service which failed to start because of the following error: %%1053

Error - 5/25/2010 12:45:57 PM | Computer Name = MYPC | Source = Service Control Manager | ID = 7001
Description = The Windows Firewall/Internet Connection Sharing (ICS) service depends
on the Network Connections service which failed to start because of the following
error: %%1053

Error - 5/25/2010 12:46:07 PM | Computer Name = MYPC | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/25/2010 12:46:07 PM | Computer Name = MYPC | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 12:46:49 PM | Computer Name = MYPC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 5/25/2010 12:47:20 PM | Computer Name = MYPC | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/25/2010 12:47:20 PM | Computer Name = MYPC | Source = Service Control Manager | ID = 7022
Description = The McAfee VirusScan Announcer service hung on starting.

Error - 5/25/2010 12:47:22 PM | Computer Name = MYPC | Source = Service Control Manager | ID = 7022
Description = The Windows Image Acquisition (WIA) service hung on starting.


< End of report >









GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 14:03:24
Windows 5.1.2600 Service Pack 3
Running: ul3z7oug.exe; Driver: C:\DOCUME~1\KIMAND~1\LOCALS~1\Temp\pxtdypog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7219C50]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7219C64]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7219C90]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7219CE6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7219C3C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7219C14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7219C28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF7219C7A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7219CBC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7219CA6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7219D10]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7219CFC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7219CD0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP F7219CD4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP F7219CEA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP F7219D00 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP F7219CC0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP F7219C18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP F7219C2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP F7219D14 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP F7219CAA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP F7219C7E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP F7219C54 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP F7219C68 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP F7219C94 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP F7219C40 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\DRIVERS\kbdhid.sys entry point in ".rsrc" section [0xF5B5C094]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[136] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00950FE5
.text C:\WINDOWS\System32\svchost.exe[136] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0095000A
.text C:\WINDOWS\System32\svchost.exe[136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00950FD4
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0080
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0065
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F8B
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C002F
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F49
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0091
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F02
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F1D
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0EDD
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0040
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0014
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F70
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\System32\svchost.exe[136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F2E
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0099002C
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0099007A
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00990FDB
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0099001B
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00990069
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00990000
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00990058
.text C:\WINDOWS\System32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0099003D
.text C:\WINDOWS\System32\svchost.exe[136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00980FA6
.text C:\WINDOWS\System32\svchost.exe[136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00980027
.text C:\WINDOWS\System32\svchost.exe[136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00980FD2
.text C:\WINDOWS\System32\svchost.exe[136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00980FEF
.text C:\WINDOWS\System32\svchost.exe[136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00980FB7
.text C:\WINDOWS\System32\svchost.exe[136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[136] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0096000A
.text C:\WINDOWS\System32\svchost.exe[136] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00960FEF
.text C:\WINDOWS\System32\svchost.exe[136] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0096001B
.text C:\WINDOWS\System32\svchost.exe[136] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00960FCA
.text C:\WINDOWS\System32\svchost.exe[136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00970000
.text C:\WINDOWS\System32\svchost.exe[360] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00960FEF
.text C:\WINDOWS\System32\svchost.exe[360] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00960FD4
.text C:\WINDOWS\System32\svchost.exe[360] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0096000A
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0095000A
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00950F88
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0095007D
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00950FAF
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00950062
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00950FD4
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00950F3F
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00950F5A
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00950F09
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009500A2
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009500BD
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00950051
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00950FEF
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00950F77
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00950036
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00950025
.text C:\WINDOWS\System32\svchost.exe[360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00950F24
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 001C004A
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 001C0025
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 001C000A
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 001C0080
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 001C0FD4
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3C, 88] {CMP AL, 0x88}
.text C:\WINDOWS\System32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 001C005B
.text C:\WINDOWS\System32\svchost.exe[360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0099002E
.text C:\WINDOWS\System32\svchost.exe[360] msvcrt.dll!system 77C293C7 5 Bytes JMP 00990FAD
.text C:\WINDOWS\System32\svchost.exe[360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0099001D
.text C:\WINDOWS\System32\svchost.exe[360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00990FC8
.text C:\WINDOWS\System32\svchost.exe[360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00990FE3
.text C:\WINDOWS\System32\svchost.exe[360] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00970000
.text C:\WINDOWS\System32\svchost.exe[360] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00970FE5
.text C:\WINDOWS\System32\svchost.exe[360] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00970025
.text C:\WINDOWS\System32\svchost.exe[360] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00970FD4
.text C:\WINDOWS\System32\svchost.exe[360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00980FEF
.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 015B0000
.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 015B0FDE
.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 015B0FEF
.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015A0FEF
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015A007D
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015A006C
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015A005B
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015A0F9E
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015A0025
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015A00BF
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015A00A4
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015A0F52
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015A00EB
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015A0110
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015A0040
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015A0FDE
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015A0F6D
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015A0014
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015A0FCD
.text C:\WINDOWS\Explorer.EXE[376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015A00DA
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0155002C
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01550080
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0155001B
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01550FDB
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01550FB9
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01550000
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01550051
.text C:\WINDOWS\Explorer.EXE[376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01550FCA
.text C:\WINDOWS\Explorer.EXE[376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0168005F
.text C:\WINDOWS\Explorer.EXE[376] msvcrt.dll!system 77C293C7 5 Bytes JMP 01680044
.text C:\WINDOWS\Explorer.EXE[376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01680FD4
.text C:\WINDOWS\Explorer.EXE[376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01680000
.text C:\WINDOWS\Explorer.EXE[376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01680029
.text C:\WINDOWS\Explorer.EXE[376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01680FEF
.text C:\WINDOWS\Explorer.EXE[376] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0166000A
.text C:\WINDOWS\Explorer.EXE[376] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0166001B
.text C:\WINDOWS\Explorer.EXE[376] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01660FE5
.text C:\WINDOWS\Explorer.EXE[376] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01660036
.text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0167000A
.text C:\WINDOWS\system32\svchost.exe[544] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\svchost.exe[544] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F20FC3
.text C:\WINDOWS\system32\svchost.exe[544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\svchost.exe[544] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[544] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F10F75
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F10F86
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F10F97
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F10FA8
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F10040
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F10085
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F10F49
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F10F0E
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F100A7
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F10EFD
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F10FB9
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F10F5A
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F10FD4
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F10025
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F10096
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB002F
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FDE
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0014
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0F7C
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EB0F8D
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\svchost.exe[544] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\svchost.exe[544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01C50044
.text C:\WINDOWS\system32\svchost.exe[544] msvcrt.dll!system 77C293C7 5 Bytes JMP 01C50033
.text C:\WINDOWS\system32\svchost.exe[544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01C50011
.text C:\WINDOWS\system32\svchost.exe[544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01C50FE3
.text C:\WINDOWS\system32\svchost.exe[544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01C50022
.text C:\WINDOWS\system32\svchost.exe[544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01C50000
.text C:\WINDOWS\system32\svchost.exe[544] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[544] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[544] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\svchost.exe[544] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F79
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F8A
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0064
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0025
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0095
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F4D
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F28
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA00CB
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA00E6
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA0F5E
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0014
.text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA00A6
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 001C0FB2
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 001C005E
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 001C0FCD
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 001C0043
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 001C0028
.text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 001C0FA1
.text C:\WINDOWS\system32\svchost.exe[572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FAA
.text C:\WINDOWS\system32\svchost.exe[572] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD003F
.text C:\WINDOWS\system32\svchost.exe[572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD001D
.text C:\WINDOWS\system32\svchost.exe[572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD002E
.text C:\WINDOWS\system32\svchost.exe[572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FE3
.text C:\WINDOWS\system32\svchost.exe[572] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[572] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[572] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CC0036
.text C:\WINDOWS\system32\svchost.exe[572] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CC0047
.text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 015D0FEF
.text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 015D001B
.text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 015D0000
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015C0FEF
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015C0071
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015C004C
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015C0F72
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015C0F83
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015C0014
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015C008C
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015C0F44
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015C00BB
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015C0F22
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015C0F07
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015C0025
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015C0FDE
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015C0F61
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015C0FA8
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015C0FC3
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015C0F33
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 015B000A
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 015B0F6F
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 015B0FB9
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 015B0FD4
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 015B0036
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 015B0FE5
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 015B0025
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 015B0F9E
.text C:\WINDOWS\system32\svchost.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01600FC3
.text C:\WINDOWS\system32\svchost.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 0160004E
.text C:\WINDOWS\system32\svchost.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01600029
.text C:\WINDOWS\system32\svchost.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01600000
.text C:\WINDOWS\system32\svchost.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01600FD4
.text C:\WINDOWS\system32\svchost.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01600FEF
.text C:\WINDOWS\system32\svchost.exe[720] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 015E0000
.text C:\WINDOWS\system32\svchost.exe[720] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 015E0FDB
.text C:\WINDOWS\system32\svchost.exe[720] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 015E0FCA
.text C:\WINDOWS\system32\svchost.exe[720] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 015E0FB9
.text C:\WINDOWS\system32\svchost.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 015F0000
.text C:\WINDOWS\system32\services.exe[1096] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1096] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\services.exe[1096] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0FA1
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0096
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0FB2
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE006F
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FCD
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00B1
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0F75
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00F1
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F4E
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE010C
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0054
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F86
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00C2
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012D0FB9
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012D004A
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012D0FD4
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012D000A
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012D002F
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012D0FEF
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 012D0F8D
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 89]
.text C:\WINDOWS\system32\services.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012D0F9E
.text C:\WINDOWS\system32\services.exe[1096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012C003B
.text C:\WINDOWS\system32\services.exe[1096] msvcrt.dll!system 77C293C7 5 Bytes JMP 012C0016
.text C:\WINDOWS\system32\services.exe[1096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012C0FC1
.text C:\WINDOWS\system32\services.exe[1096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012C0FE3
.text C:\WINDOWS\system32\services.exe[1096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012C0FB0
.text C:\WINDOWS\system32\services.exe[1096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012C0FD2
.text C:\WINDOWS\system32\services.exe[1096] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 012A0FEF
.text C:\WINDOWS\system32\services.exe[1096] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 012A0000
.text C:\WINDOWS\system32\services.exe[1096] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 012A0FCA
.text C:\WINDOWS\system32\services.exe[1096] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 012A0FAF
.text C:\WINDOWS\system32\services.exe[1096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 012B000A
.text C:\WINDOWS\system32\lsass.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\lsass.exe[1108] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01050FCD
.text C:\WINDOWS\system32\lsass.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01050FDE
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70F70
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E70F81
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70F92
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E70F5F
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E7009B
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E700E7
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E700D6
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E70F33
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E70047
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E70080
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E70FC0
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E70FD1
.text C:\WINDOWS\system32\lsass.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E70F4E
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01090051
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01090FDB
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01090040
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0109001B
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0109008E
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0109000A
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01090073
.text C:\WINDOWS\system32\lsass.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01090062
.text C:\WINDOWS\system32\lsass.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0108005F
.text C:\WINDOWS\system32\lsass.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 0108004E
.text C:\WINDOWS\system32\lsass.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01080018
.text C:\WINDOWS\system32\lsass.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01080FEF
.text C:\WINDOWS\system32\lsass.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01080033
.text C:\WINDOWS\system32\lsass.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01080FDE
.text C:\WINDOWS\system32\lsass.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01070000
.text C:\WINDOWS\system32\lsass.exe[1108] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0106000A
.text C:\WINDOWS\system32\lsass.exe[1108] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\lsass.exe[1108] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01060FD4
.text C:\WINDOWS\system32\lsass.exe[1108] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01060FC3
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DE0FDE
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE000A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C00A4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0093
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0FC0
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FDB
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F72
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F8D
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F35
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F50
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00E9
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0062
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F9E
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0047
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C002C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F61
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E70FDB
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E7005B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E7004A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60FA8
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E6000C
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E60029
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60F9C
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60091
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60076
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60FC3
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F6005B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F600C9
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F600AC
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F41
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F600DA
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60F30
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60F81
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F60F66
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0062
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB0025
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0FA5
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0FC0
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0F94
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0FB9
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FCA
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA001D
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F80025
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F50
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0045
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F6B
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F7C
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0F9E
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0062
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F1A
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0EFF
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0098
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00B3
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F8D
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F35
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C007D
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FCA
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90F94
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A9001B
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90047
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90FA5
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 88]
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90036
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FA3
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80FBE
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8001D
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A8002E
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A60011
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A60FC0
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F94
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B007F
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FA5
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0058
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F52
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F63
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00D0
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00B5
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00E1
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FD1
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0011
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B009A
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B003D
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0022
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F37
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90058
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90047
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80058
.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80047
.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F8A
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA007F
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0062
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0051
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00A6
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F5E
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F39
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00D2
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F28
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F6F
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FDB
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00C1
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FB2
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF005E
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FDE
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0039
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CF0F97
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EF, 88]
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0028
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0058
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE003D
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0FCD
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE002C
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[1708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E00000
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E00FE5
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E0001B
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0078
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0F83
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF0F94
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0FA5
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FDB
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F43
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0089
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF00C1
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF00B0
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0F03
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF0FC0
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF001B
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0F5E
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF0047
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0036
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0F32
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E3003D
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E30F9B
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E3002C
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E30011
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E30FAC
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E3004E
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E30FD1
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E20FB7
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E20038
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E20FD2
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E20027
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E20FE3
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E1001B
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E1002C
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E1003D
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[2000] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[2000] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device -> \Driver\atapi \Device\Harddisk0\DR0 85B8ED01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\kbdhid.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:22 AM

Posted 25 May 2010 - 01:42 PM

Hello again,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 1_hoss

1_hoss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 26 May 2010 - 01:53 PM

Sorry for the delay getting back to you. I think I will opt for wiping the hard drive.

QUESTIONS:

1. Is there any way to know how long ago the infection started? And was it related to the Fake-Alert pop-up I saw?

2. I've been using a USB disk to move the programs and logs back and forth from a safe computer to mine. I scanned the disk with Norton Security Suite before off-loading log files. Then did a complete scan of the PC with Norton last night, which came up all clear. Can I do more to verify that I haven't infected the safe computer?

3. Do you have any links to suggest or on-site help on reformatting/reinstalling on a Dell?

Thanks very much for your help.

Edited by 1_hoss, 26 May 2010 - 02:00 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:22 AM

Posted 26 May 2010 - 02:21 PM

Hello again, this is indeed the safest course of action. To answer your questions:

1. You have been infected for as long as you have experienced redirects (if any). It is also possible this rootkit protected the fake AV, however the fake AV popup is not directly related to the rootkit.

2. Not all malware spread using USB devices. As far as I have been able to see this was not the case here.

3. I think this will help you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 1_hoss

1_hoss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 27 May 2010 - 11:21 AM

Ok, last thing, then you can close my thread. I've reformatted and reinstalled Windows. It was much less painful than I thought it would be.

Is there some last-step scan you typically run that can tell me I'm completely Spyware and Rootkit free just so that I have some closure on this?

Thanks again for your assistance.

Edited by 1_hoss, 27 May 2010 - 11:22 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:22 AM

Posted 27 May 2010 - 11:58 AM

Sorry, there is no tool that will give you complete assurance your computer is clean. However a reformat should pretty much take care of any malware smile.gif

Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 1_hoss

1_hoss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 27 May 2010 - 07:29 PM

Thank you. cool.gif

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:22 AM

Posted 28 May 2010 - 04:04 AM

You are welcome.

I will now close this topic. If you need it reopened, please send me a PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users