Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Image .exe Error Popsup @ Startup =(


  • This topic is locked This topic is locked
27 replies to this topic

#1 jollyrancher

jollyrancher

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 01 June 2010 - 09:27 AM

Every time during startup @ desktop the following messages pop up...Not sure if I picked up a nasty or if my comp has competely gone bananas.
OS Windows Vista Home Premium Service Pack 2, 62-bit.

The message reads as follows:

rtHDCpl.exe - Bad Image
monitor.exe-Bad Image
adobeARM.exe -Bad Image

C:\Windows\System32\oledlg.dll is either not designed to run on Windows or it contains an error.
Try installing the program again using the original installation media or contact your system adminsitrator or software vendor for support.

Unfortunately I was unable to run the GMER tried twice and my comp crashed both times.Problem Event: Blue Screen.

Thank you for your time and any help would be appreciated!

DDS LOG

DDS (Ver_10-03-17.01) - NTFSx86
Run by SweetChocolateGirl at 8:52:50.69 on Tue 06/01/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.816 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\LVComS.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Yahoo!\Search Protection\YspService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\rundll32.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Users\SweetChocolateGirl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.att.net/
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60446
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; MSN Optimized;US; MSN Optimized;US)" -"http://www.iwon.com/modules/launchGame/games/includes/blockDotGameIFrame.jhtml?categoryId=4&gameId=501&browser=IE"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [LVCOMS] c:\windows\system32\LVCOMS.EXE
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRunOnce: [PCDrProfiler] c:\program files\pc-doctor 5 for windows\RunProfiler.exe -r
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\sweetc~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\mgi\mgi photosuite ii\temp\MGI00000.html
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\sweetchocolategirl\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\sweetc~1\appdata\roaming\mozilla\firefox\profiles\0b62o0mi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\sweetchocolategirl\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\sweetchocolategirl\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\sweetchocolategirl\appdata\roaming\mozilla\firefox\profiles\0b62o0mi.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-30 11608]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-6-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-30 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-30 60936]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-30 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-30 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-30 144704]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-11 1153368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-28 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-30 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-30 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-30 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 12872]
S2 gupdate1caa3c9aa23bf7d;Google Update Service (gupdate1caa3c9aa23bf7d);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 133104]
S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [2010-2-25 171520]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-24 21504]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-30 34248]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [2002-12-10 116480]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\pcpitstopscheduleservice.exe --> c:\program files\pcpitstop\PCPitstopScheduleService.exe [?]

=============== Created Last 30 ================

2010-06-01 13:46:14 0 ----a-w- c:\users\sweetchocolategirl\defogger_reenable
2010-05-31 17:58:19 0 d-----w- c:\program files\TweetDeck
2010-05-31 17:22:53 0 d-----w- c:\programdata\NOS
2010-05-31 16:18:34 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-31 16:04:24 65536 --sha-w- c:\users\sweetchocolategirl\ntuser.dat{1c50cc96-6cce-11df-82a7-001e90085e59}.TM.blf
2010-05-31 16:04:24 524288 --sha-w- c:\users\sweetchocolategirl\ntuser.dat{1c50cc96-6cce-11df-82a7-001e90085e59}.TMContainer00000000000000000002.regtrans-ms
2010-05-31 16:04:24 524288 --sha-w- c:\users\sweetchocolategirl\ntuser.dat{1c50cc96-6cce-11df-82a7-001e90085e59}.TMContainer00000000000000000001.regtrans-ms
2010-05-31 13:22:42 0 d-----w- c:\users\sweetc~1\appdata\roaming\McAfee
2010-05-27 13:13:02 0 d-----w- c:\program files\TweetDeck(21)
2010-05-12 11:07:45 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 13:28:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 01:49:27 0 d-----w- c:\programdata\Nikon
2010-05-10 01:49:27 0 d-----w- c:\program files\common files\Nikon
2010-05-10 01:49:18 0 d-----w- c:\program files\Nikon
2010-05-10 01:48:30 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-05-10 01:48:30 0 d-----w- c:\programdata\Ultima_T15
2010-05-10 01:48:30 0 d-----w- c:\programdata\Sync Schema
2010-05-10 01:48:30 0 d-----w- c:\programdata\EnterNHelp

==================== Find3M ====================

2010-05-10 01:48:23 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-06 18:09:12 86016 ----a-w- c:\windows\inf\infpub.dat
2010-03-06 18:09:11 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-06 18:09:11 143360 ----a-w- c:\windows\inf\infstor.dat
2010-03-04 17:33:45 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-11-17 14:41:54 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-24 13:34:43 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-23 06:24:41 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-03-02 22:05:14 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-11-10 03:52:06 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009110920091110\index.dat
2009-04-22 01:01:17 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-11-15 19:12:58 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 8:55:12.12 ===============

Attached Files


Edited by jollyrancher, 01 June 2010 - 09:29 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:14 AM

Posted 03 June 2010 - 10:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 jollyrancher

jollyrancher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 03 June 2010 - 12:50 PM

Hi,Thank you for replying Shannon..As instructed I've included another fresh DDS log file and attached the GMER log.
As mentioned previously @ startup I would receive pop ups.

The message reads as follows:

rtHDCpl.exe - Bad Image
monitor.exe-Bad Image

C:\Windows\System32\oledlg.dll is either not designed to run on Windows or it contains an error.
Try installing the program again using the original installation media or contact your system adminstrator or software vendor for support.

I noticed i'm unable to use my HP print.scan.copy machine since the message have been popping up.
Upon saving the GMER file my PC crashed and a blue screen appeared.

DDS LOG

DDS (Ver_10-03-17.01) - NTFSx86
Run by SweetChocolateGirl at 11:52:35.29 on Thu 06/03/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.834 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\system32\jusched.exe
C:\Windows\System32\LVComS.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Yahoo!\Search Protection\YspService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\AIM\aim.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\SweetChocolateGirl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.att.net/
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60446
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; MSN Optimized;US; MSN Optimized;US)" -"http://www.iwon.com/modules/launchGame/games/includes/blockDotGameIFrame.jhtml?categoryId=4&gameId=501&browser=IE"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [LVCOMS] c:\windows\system32\LVCOMS.EXE
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRunOnce: [PCDrProfiler] c:\program files\pc-doctor 5 for windows\RunProfiler.exe -r
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\sweetc~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\mgi\mgi photosuite ii\temp\MGI00000.html
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\sweetchocolategirl\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\sweetc~1\appdata\roaming\mozilla\firefox\profiles\0b62o0mi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\sweetchocolategirl\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\sweetchocolategirl\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-30 11608]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-6-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-30 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-30 60936]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-30 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-30 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-30 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-30 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-30 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-30 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 12872]
S2 gupdate1caa3c9aa23bf7d;Google Update Service (gupdate1caa3c9aa23bf7d);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 133104]
S3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [2010-2-25 171520]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-24 21504]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-30 34248]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [2002-12-10 116480]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\pcpitstopscheduleservice.exe --> c:\program files\pcpitstop\PCPitstopScheduleService.exe [?]

=============== Created Last 30 ================

2010-06-02 12:21:23 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-01 21:19:13 0 d-----w- c:\programdata\McAfee Security Scan
2010-06-01 21:19:10 0 d-----w- c:\program files\McAfee Security Scan
2010-06-01 14:14:59 225390000 ----a-w- c:\windows\MEMORY.DMP
2010-06-01 13:46:14 0 ----a-w- c:\users\sweetchocolategirl\defogger_reenable
2010-05-31 17:58:19 0 d-----w- c:\program files\TweetDeck
2010-05-31 16:18:34 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-31 16:04:24 65536 --sha-w- c:\users\sweetchocolategirl\ntuser.dat{1c50cc96-6cce-11df-82a7-001e90085e59}.TM.blf
2010-05-31 16:04:24 524288 --sha-w- c:\users\sweetchocolategirl\ntuser.dat{1c50cc96-6cce-11df-82a7-001e90085e59}.TMContainer00000000000000000002.regtrans-ms
2010-05-31 16:04:24 524288 --sha-w- c:\users\sweetchocolategirl\ntuser.dat{1c50cc96-6cce-11df-82a7-001e90085e59}.TMContainer00000000000000000001.regtrans-ms
2010-05-31 13:22:42 0 d-----w- c:\users\sweetc~1\appdata\roaming\McAfee
2010-05-27 13:13:02 0 d-----w- c:\program files\TweetDeck(21)
2010-05-12 11:07:45 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 13:28:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 01:49:27 0 d-----w- c:\programdata\Nikon
2010-05-10 01:49:27 0 d-----w- c:\program files\common files\Nikon
2010-05-10 01:49:18 0 d-----w- c:\program files\Nikon
2010-05-10 01:48:30 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-05-10 01:48:30 0 d-----w- c:\programdata\Ultima_T15
2010-05-10 01:48:30 0 d-----w- c:\programdata\Sync Schema
2010-05-10 01:48:30 0 d-----w- c:\programdata\EnterNHelp

==================== Find3M ====================

2010-05-10 01:48:23 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-06 18:09:12 86016 ----a-w- c:\windows\inf\infpub.dat
2010-03-06 18:09:11 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-06 18:09:11 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 14:41:54 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-24 13:34:43 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-23 06:24:41 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-03-02 22:05:14 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-11-10 03:52:06 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009110920091110\index.dat
2009-04-22 01:01:17 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-11-15 19:12:58 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 11:55:11.57 ===============

Attached Files

  • Attached File  ark.txt   97.19KB   8 downloads

Edited by jollyrancher, 03 June 2010 - 12:54 PM.


#4 jollyrancher

jollyrancher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 07 June 2010 - 12:30 PM

Still awaiting the next step..I know the helpers are all volunteers,just wanted to post to let the helpers know I'm still here seeking help.

Thanks!

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 AM

Posted 07 June 2010 - 05:47 PM

Hi jollyrancher,

Sorry about the wait.

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can you try running Gmer with only the SECTIONS option checked.
Posted Image
m0le is a proud member of UNITE

#6 jollyrancher

jollyrancher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 07 June 2010 - 06:17 PM

Thanks for your assistance M0le.

GMER log posted below running only the SECTIONS option checked.
As soon as I saved the log to my desktop I got the bsod.




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 18:07:23
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\SWEETC~1\AppData\Local\Temp\axliquoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8223C9D2 5 Bytes JMP 8CFD87CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!KeSetEvent + 621 822BDD84 4 Bytes [20, C3, F5, 8C]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BE0C340, 0x3DA8C7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[288] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[288] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\services.exe[644] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00280F39
.text C:\Windows\system32\services.exe[644] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 0028007F
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 00280F03
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 0028009A
.text C:\Windows\system32\services.exe[644] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00280F79
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00280FCA
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 0028001B
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00280F54
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00280047
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00280F94
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00280036
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00280FAF
.text C:\Windows\system32\services.exe[644] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 0028006E
.text C:\Windows\system32\services.exe[644] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 002800AB
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 00280FEF
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 0028000A
.text C:\Windows\system32\services.exe[644] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00280F1E
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 0030004A
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00300FB9
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 0030000A
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00300FA8
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 0030005B
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00300FDE
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00300FEF
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00300025
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 0029007A
.text C:\Windows\system32\services.exe[644] msvcrt.dll!system 76C2804B 5 Bytes JMP 00290069
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00290029
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_open 76C2D106 5 Bytes JMP 0029000C
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00290044
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00290FEF
.text C:\Windows\system32\services.exe[644] WS2_32.dll!socket 778336D1 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00050098
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 00050F48
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 000500BD
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00050F26
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00050073
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 0005001B
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00050FCA
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00050F63
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00050062
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00050047
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00050FA5
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 0005002C
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 00050F74
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 000500D8
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 0005000A
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00050FEF
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00050F37
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 0082005B
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00820FC3
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00820FE5
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 0082004A
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00820F9E
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00820014
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00820FD4
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00820025
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00060042
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!system 76C2804B 5 Bytes JMP 00060027
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00060FD2
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00060FEF
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00060FC1
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 0006000C
.text C:\Windows\system32\lsass.exe[656] WS2_32.dll!socket 778336D1 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00250F6F
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 002500B5
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 002500D0
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00250F39
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00250093
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 0025001B
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00250036
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00250F94
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00250FB9
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00250FCA
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 0025006C
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 0025005B
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 002500A4
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 002500E1
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 00250FE5
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00250000
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00250F5E
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00260F81
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!system 76C2804B 5 Bytes JMP 00260F9C
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00260FC1
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00260FEF
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00260016
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00260FDE
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00280FC3
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00280065
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00280000
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00280FDE
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00280FB2
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00280036
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 0028001B
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00280FEF
.text C:\Windows\system32\svchost.exe[856] WS2_32.dll!socket 778336D1 5 Bytes JMP 0027000A
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 76A51929 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 002F0F2D
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 002F007D
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 002F0F01
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 002F0F12
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 002F0F5C
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 002F0FC3
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 002F0FB2
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 002F006C
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 002F0040
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 002F0F97
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 002F002F
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 002F0014
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 002F0051
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 002F0EF0
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 002F0FD4
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 002F0FE5
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 002F008E
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00350FAB
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!system 76C2804B 5 Bytes JMP 00350FBC
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00350011
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00350000
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00350022
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00350FE3
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00910062
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00910FCA
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00910FE5
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00910051
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00910FAF
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 0091001B
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00910000
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00910036
.text C:\Windows\system32\svchost.exe[948] WS2_32.dll!socket 778336D1 5 Bytes JMP 00900FE5
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 01120F52
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 011200A2
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 01120F37
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 011200CE
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 0112006C
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 0112002C
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 01120FDB
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 01120087
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 01120051
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 01120FAF
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 01120F94
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 01120FC0
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 01120F6D
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 011200F3
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 0112001B
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 01120000
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 011200BD
.text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 01130FAD
.text C:\Windows\System32\svchost.exe[988] msvcrt.dll!system 76C2804B 5 Bytes JMP 01130038
.text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 01130FD2
.text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_open 76C2D106 5 Bytes JMP 01130000
.text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 01130027
.text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 01130FE3
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 02600F86
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 02600FBC
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 02600FEF
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 02600F97
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 0260004D
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 02600FDE
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 02600014
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 02600FCD
.text C:\Windows\System32\svchost.exe[988] WS2_32.dll!socket 778336D1 5 Bytes JMP 025F0000
.text C:\Windows\System32\svchost.exe[988] wininet.dll!InternetOpenA 7732D47D 5 Bytes JMP 025E0000
.text C:\Windows\System32\svchost.exe[988] wininet.dll!InternetOpenW 7732D7DA 5 Bytes JMP 025E001B
.text C:\Windows\System32\svchost.exe[988] wininet.dll!InternetOpenUrlA 7732FE4B 5 Bytes JMP 025E0FE5
.text C:\Windows\System32\svchost.exe[988] wininet.dll!InternetOpenUrlW 77379139 5 Bytes JMP 025E0FD4
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00920080
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 00920F3A
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 00920F18
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00920F29
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 0092005B
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00920FC3
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00920014
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00920F55
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00920F77
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00920036
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00920F94
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00920025
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 00920F66
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 00920EF3
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 00920FDE
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00920FEF
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 0092009B
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00AB0031
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!system 76C2804B 5 Bytes JMP 00AB0020
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00AB0FB7
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00AB0FEF
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00AB0FA6
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00AB0FD2
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00F20F79
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00F20F94
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00F20FEF
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00F2001B
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00F20036
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00F20FC3
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00F20FD4
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00F2000A
.text C:\Windows\System32\svchost.exe[1060] WS2_32.dll!socket 778336D1 5 Bytes JMP 00ED0000
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 001A0080
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 001A0F30
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 001A0F15
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 001A00AC
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 001A005B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 001A0FDE
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 001A0FB9
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 001A0F55
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 001A004A
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 001A0F97
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 001A0039
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 001A0FA8
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 001A0F66
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 001A00C7
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 001A0FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 001A000A
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 001A009B
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00330FB9
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 76C2804B 5 Bytes JMP 0033004E
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00330022
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00330000
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 0033003D
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00330011
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00350054
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00350FB9
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00350000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00350FA8
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00350065
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 0035002F
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00350FEF
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00350FDE
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 778336D1 5 Bytes JMP 00340FE5
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 010D008D
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 010D0F47
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 010D00C3
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreateProcessA 76A51C28 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 010D0F2C
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 010D0054
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 010D0FDE
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 010D0FB9
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 010D0F58
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 010D0F86
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 010D0F97
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 010D0043
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 010D0FA8
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 010D0F69
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 010D0F07
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 010D0FEF
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 010D0000
.text C:\Windows\system32\svchost.exe[1164] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 010D00A8
.text C:\Windows\system32\svchost.exe[1164] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 010E0F7F
.text C:\Windows\system32\svchost.exe[1164] msvcrt.dll!system 76C2804B 5 Bytes JMP 010E0F9A
.text C:\Windows\system32\svchost.exe[1164] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 010E0FB5
.text C:\Windows\system32\svchost.exe[1164] msvcrt.dll!_open 76C2D106 5 Bytes JMP 010E0FEF
.text C:\Windows\system32\svchost.exe[1164] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 010E000A
.text C:\Windows\system32\svchost.exe[1164] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 010E0FD2
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA 778839AB 3 Bytes JMP 01140FB9
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA + 4 778839AF 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA 77883BA9 3 Bytes JMP 01140040
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA + 4 77883BAD 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA 778889C7 3 Bytes JMP 01140000
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA + 4 778889CB 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 0114005B
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 01140076
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 01140FE5
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 0114001B
.text C:\Windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 01140FD4
.text C:\Windows\system32\svchost.exe[1164] WS2_32.dll!socket 778336D1 3 Bytes JMP 010F0000
.text C:\Windows\system32\svchost.exe[1164] WS2_32.dll!socket + 4 778336D5 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1164] WININET.dll!InternetOpenA 7732D47D 5 Bytes JMP 012A0FEF
.text C:\Windows\system32\svchost.exe[1164] WININET.dll!InternetOpenW 7732D7DA 5 Bytes JMP 012A000A
.text C:\Windows\system32\svchost.exe[1164] WININET.dll!InternetOpenUrlA 7732FE4B 5 Bytes JMP 012A0FDE
.text C:\Windows\system32\svchost.exe[1164] WININET.dll!InternetOpenUrlW 77379139 5 Bytes JMP 012A002F
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00190F70
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 00190F81
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 001900DB
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00190F44
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00190F9C
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00190FD4
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00190025
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 001900A2
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00190076
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 0019004A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00190065
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00190FB9
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 00190087
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 00190F29
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 00190FE5
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00190F55
.text C:\Windows\system32\svchost.exe[1272] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 001A006B
.text C:\Windows\system32\svchost.exe[1272] msvcrt.dll!system 76C2804B 5 Bytes JMP 001A005A
.text C:\Windows\system32\svchost.exe[1272] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 001A002E
.text C:\Windows\system32\svchost.exe[1272] msvcrt.dll!_open 76C2D106 5 Bytes JMP 001A0000
.text C:\Windows\system32\svchost.exe[1272] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 001A0049
.text C:\Windows\system32\svchost.exe[1272] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 001A001D
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 778839AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00340FAF
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00340040
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00340051
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 0034006C
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00340FD4
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00340025
.text C:\Windows\system32\svchost.exe[1272] WS2_32.dll!socket 778336D1 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 001500B5
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 00150F65
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 00150F2F
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00150F40
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00150FA5
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00150FE5
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00150040
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00150090
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00150073
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00150062
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00150FB6
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00150051
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 00150F80
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 00150F1E
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 0015001B
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00150000
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 001500C6
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00D40FAD
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!system 76C2804B 5 Bytes JMP 00D40038
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00D4000C
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00D40FE3
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00D40027
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00D40FD2
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00DF0FC3
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00DF0FD4
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00DF0065
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00DF008A
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00DF0025
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00DF0040
.text C:\Windows\system32\svchost.exe[1328] WS2_32.dll!socket 778336D1 5 Bytes JMP 00D60000
.text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenA 7732D47D 5 Bytes JMP 00D50FEF
.text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenW 7732D7DA 5 Bytes JMP 00D5000A
.text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenUrlA 7732FE4B 5 Bytes JMP 00D5001B
.text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenUrlW 77379139 5 Bytes JMP 00D50FD4
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 0013009C
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 00130081
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 001300C8
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00130F31
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 0013004E
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00130FCA
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00130011
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00130070
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00130033
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00130F9B
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00130F76
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00130022
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 0013005F
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 00130F0C
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 00130000
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00130FE5
.text C:\Windows\system32\svchost.exe[1456] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 001300AD
.text C:\Windows\system32\svchost.exe[1456] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00150F7F
.text C:\Windows\system32\svchost.exe[1456] msvcrt.dll!system 76C2804B 5 Bytes JMP 00150F9A
.text C:\Windows\system32\svchost.exe[1456] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00150FC6
.text C:\Windows\system32\svchost.exe[1456] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00150FE3
.text C:\Windows\system32\svchost.exe[1456] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00150FB5
.text C:\Windows\system32\svchost.exe[1456] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00150000
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00340F83
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00340FA5
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00340F94
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00340036
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00340000
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00340FD4
.text C:\Windows\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00340011
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00810F3A
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 00810F4B
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 00810EE9
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00810F04
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00810F81
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00810FDB
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00810FCA
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00810076
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00810F9E
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00810051
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00810FAF
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00810036
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 00810F70
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 00810ED8
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 0081001B
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00810000
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00810F1F
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00820F9C
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!system 76C2804B 5 Bytes JMP 00820FB7
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00820027
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00820FE3
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00820FD2
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00820000
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00850F7F
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00850FA1
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00850FEF
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00850F90
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00850032
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00850FC3
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00850FD4
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00850FB2
.text C:\Windows\system32\svchost.exe[1552] WS2_32.dll!socket 778336D1 5 Bytes JMP 00830FEF
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 017E0F0B
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 017E0F30
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 017E0098
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 017E0087
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 017E0F77
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 017E0FCA
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 017E001B
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 017E0F4B
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 017E0051
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 017E0F94
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 017E0036
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 017E0FAF
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 017E0F66
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 017E00B3
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 017E000A
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 017E0FEF
.text C:\Windows\system32\svchost.exe[1796] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 017E006C
.text C:\Windows\system32\svchost.exe[1796] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 017F0038
.text C:\Windows\system32\svchost.exe[1796] msvcrt.dll!system 76C2804B 5 Bytes JMP 017F0FAD
.text C:\Windows\system32\svchost.exe[1796] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 017F001D
.text C:\Windows\system32\svchost.exe[1796] msvcrt.dll!_open 76C2D106 5 Bytes JMP 017F000C
.text C:\Windows\system32\svchost.exe[1796] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 017F0FD2
.text C:\Windows\system32\svchost.exe[1796] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 017F0FE3
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 01850F97
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 01850FB9
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 01850000
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 01850FA8
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 01850F86
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 01850011
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 01850FDB
.text C:\Windows\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 01850FCA
.text C:\Windows\system32\svchost.exe[1796] WS2_32.dll!socket 778336D1 5 Bytes JMP 01840FEF
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 000D00CE
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 000D00BD
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 000D0F63
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 000D00FA
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 000D0080
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 000D001E
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 000D0FCD
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 000D00A2
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 000D006F
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 000D0039
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 000D0054
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 000D0FB2
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 000D0091
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 000D0F3E
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 000D0FDE
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 000D0FEF
.text C:\Windows\System32\svchost.exe[2204] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 000D00E9
.text C:\Windows\System32\svchost.exe[2204] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 000E0F86
.text C:\Windows\System32\svchost.exe[2204] msvcrt.dll!system 76C2804B 5 Bytes JMP 000E0FAB
.text C:\Windows\System32\svchost.exe[2204] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 000E001B
.text C:\Windows\System32\svchost.exe[2204] msvcrt.dll!_open 76C2D106 5 Bytes JMP 000E0FE3
.text C:\Windows\System32\svchost.exe[2204] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 000E0FBC
.text C:\Windows\System32\svchost.exe[2204] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 000E0000
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00100051
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00100FAF
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00100FE5
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00100036
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00100062
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 0010000A
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00100FD4
.text C:\Windows\System32\svchost.exe[2204] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 0010001B
.text C:\Windows\System32\svchost.exe[2204] WS2_32.dll!socket 778336D1 3 Bytes JMP 000F0000
.text C:\Windows\System32\svchost.exe[2204] WS2_32.dll!socket + 4 778336D5 1 Byte [88]
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00330F68
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 003300AE
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 00330F32
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 003300C9
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 0033005D
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 0033001B
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 0033002C
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreatePipe 76A78E6E 3 Bytes JMP 00330093
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreatePipe + 4 76A78E72 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00330F83
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!LoadLibraryW 76A79362 3 Bytes JMP 00330FA5
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!LoadLibraryW + 4 76A79366 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!LoadLibraryExA 76A794B4 3 Bytes JMP 00330F94
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!LoadLibraryExA + 4 76A794B8 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!LoadLibraryA 76A794DC 3 Bytes JMP 00330FC0
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!LoadLibraryA + 4 76A794E0 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!VirtualProtectEx 76A7DBDA 3 Bytes JMP 00330082
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!VirtualProtectEx + 4 76A7DBDE 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 003300E4
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 00330FE5
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00330000
.text C:\Windows\System32\svchost.exe[2280] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00330F57
.text C:\Windows\System32\svchost.exe[2280] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00340FA8
.text C:\Windows\System32\svchost.exe[2280] msvcrt.dll!system 76C2804B 5 Bytes JMP 00340FC3
.text C:\Windows\System32\svchost.exe[2280] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00340029
.text C:\Windows\System32\svchost.exe[2280] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00340FEF
.text C:\Windows\System32\svchost.exe[2280] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00340FD4
.text C:\Windows\System32\svchost.exe[2280] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00340018
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 006F0051
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 006F0040
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 006F0000
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 006F0FB9
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 006F006C
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 006F001B
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 006F0FE5
.text C:\Windows\System32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 006F0FD4
.text C:\Windows\System32\svchost.exe[2280] WS2_32.dll!socket 778336D1 5 Bytes JMP 00350000
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 003500E1
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 003500D0
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 0035010D
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 003500F2
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00350FA5
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00350025
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00350036
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 003500AB
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00350FB6
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00350058
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00350073
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00350047
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 00350090
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!GetProcAddress 76A9903B 3 Bytes JMP 00350F51
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!GetProcAddress + 4 76A9903F 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateFileW 76A9AECB 3 Bytes JMP 0035000A
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateFileW + 4 76A9AECF 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateFileA 76A9CE5F 3 Bytes JMP 00350FEF
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateFileA + 4 76A9CE63 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2320] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00350F76
.text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00480031
.text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!system 76C2804B 5 Bytes JMP 00480FA6
.text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00480FD2
.text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00480000
.text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00480FB7
.text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00480FE3
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 004A0F9B
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 004A002C
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 004A0FEF
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 004A003D
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 004A004E
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 004A0FCA
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 004A0000
.text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 004A001B
.text C:\Windows\system32\svchost.exe[2320] WS2_32.dll!socket 778336D1 5 Bytes JMP 00490000
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 002F0091
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 002F0F4B
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 002F00BD
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 002F0F26
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 002F0F7E
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 002F002C
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 002F0FDB
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 002F0F5C
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 002F0058
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 002F0047
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 002F0FA5
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 002F0FCA
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 002F0F6D
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 002F0F0B
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 002F001B
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 002F00A2
.text C:\Windows\system32\svchost.exe[2388] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00300055
.text C:\Windows\system32\svchost.exe[2388] msvcrt.dll!system 76C2804B 5 Bytes JMP 00300044
.text C:\Windows\system32\svchost.exe[2388] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00300029
.text C:\Windows\system32\svchost.exe[2388] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00300FEF
.text C:\Windows\system32\svchost.exe[2388] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00300FD4
.text C:\Windows\system32\svchost.exe[2388] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00300018
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00480FCA
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00480FE5
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00480000
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 0048006C
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00480087
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00480036
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00480025
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00480051
.text C:\Windows\system32\svchost.exe[2388] WS2_32.dll!socket 778336D1 5 Bytes JMP 00350000
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 000500BF
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 000500A4
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 00050110
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 000500F5
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00050089
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00050025
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00050FCA
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 00050F79
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00050062
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00050FB9
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00050051
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00050040
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 00050F8A
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 00050121
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2612] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 000500D0
.text C:\Windows\System32\svchost.exe[2612] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 0006005A
.text C:\Windows\System32\svchost.exe[2612] msvcrt.dll!system 76C2804B 5 Bytes JMP 00060049
.text C:\Windows\System32\svchost.exe[2612] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 0006001D
.text C:\Windows\System32\svchost.exe[2612] msvcrt.dll!_open 76C2D106 5 Bytes JMP 0006000C
.text C:\Windows\System32\svchost.exe[2612] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00060038
.text C:\Windows\System32\svchost.exe[2612] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00070F8D
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00070000
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00070F9E
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 0007004A
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00070FCA
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00070FDB
.text C:\Windows\System32\svchost.exe[2612] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00070FB9
.text C:\Windows\System32\svchost.exe[2612] WS2_32.dll!socket 778336D1 5 Bytes JMP 004A0000
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 00010F48
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 00010F59
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 000100BD
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 00010F26
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 00010062
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 00010014
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 00010FB9
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 0001008E
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 00010051
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 00010F9E
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 00010040
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 0001007D
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 00010F15
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[2732] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 00010F37
.text C:\Windows\system32\svchost.exe[2732] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 0005003D
.text C:\Windows\system32\svchost.exe[2732] msvcrt.dll!system 76C2804B 5 Bytes JMP 00050FB2
.text C:\Windows\system32\svchost.exe[2732] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00050FCD
.text C:\Windows\system32\svchost.exe[2732] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00050FEF
.text C:\Windows\system32\svchost.exe[2732] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00050018
.text C:\Windows\system32\svchost.exe[2732] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00050FDE
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00060F9E
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00060025
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 00060036
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 00060F83
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 00060FB9
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00060FDE
.text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 0006000A
.text C:\Windows\system32\svchost.exe[2732] WS2_32.dll!socket 778336D1 5 Bytes JMP 0019000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3528] ntdll.dll!LdrLoadDll 776F9390 5 Bytes JMP 013813F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!GetStartupInfoW 76A51929 5 Bytes JMP 002F0F48
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!GetStartupInfoA 76A519C9 5 Bytes JMP 002F0F63
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!CreateProcessW 76A51BF3 5 Bytes JMP 002F0F23
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!CreateProcessA 76A51C28 5 Bytes JMP 002F00C4
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!VirtualProtect 76A51DC3 5 Bytes JMP 002F007D
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!CreateNamedPipeA 76A52EF5 5 Bytes JMP 002F000A
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!CreateNamedPipeW 76A55C0C 5 Bytes JMP 002F001B
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!CreatePipe 76A78E6E 5 Bytes JMP 002F0F7E
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!LoadLibraryExW 76A79109 5 Bytes JMP 002F006C
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!LoadLibraryW 76A79362 5 Bytes JMP 002F0051
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!LoadLibraryExA 76A794B4 5 Bytes JMP 002F0FB9
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!LoadLibraryA 76A794DC 5 Bytes JMP 002F0036
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!VirtualProtectEx 76A7DBDA 5 Bytes JMP 002F008E
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!GetProcAddress 76A9903B 5 Bytes JMP 002F0F12
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!CreateFileW 76A9AECB 5 Bytes JMP 002F0FD4
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!CreateFileA 76A9CE5F 5 Bytes JMP 002F0FEF
.text C:\Windows\Explorer.EXE[3600] kernel32.dll!WinExec 76AE5CF7 5 Bytes JMP 002F00A9
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegCreateKeyExA 778839AB 5 Bytes JMP 00320F97
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegCreateKeyA 77883BA9 5 Bytes JMP 00320FA8
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegOpenKeyA 778889C7 5 Bytes JMP 00320FEF
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegCreateKeyW 7789391E 5 Bytes JMP 0032002F
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegCreateKeyExW 778941F1 5 Bytes JMP 0032004A
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegOpenKeyExA 77897C42 5 Bytes JMP 0032000A
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegOpenKeyW 7789E2B5 5 Bytes JMP 00320FCA
.text C:\Windows\Explorer.EXE[3600] ADVAPI32.dll!RegOpenKeyExW 778A7BA1 5 Bytes JMP 00320FB9
.text C:\Windows\Explorer.EXE[3600] msvcrt.dll!_wsystem 76C27F2F 5 Bytes JMP 00330FA1
.text C:\Windows\Explorer.EXE[3600] msvcrt.dll!system 76C2804B 5 Bytes JMP 00330FBC
.text C:\Windows\Explorer.EXE[3600] msvcrt.dll!_creat 76C2BBE1 5 Bytes JMP 00330FDE
.text C:\Windows\Explorer.EXE[3600] msvcrt.dll!_open 76C2D106 5 Bytes JMP 00330FEF
.text C:\Windows\Explorer.EXE[3600] msvcrt.dll!_wcreat 76C2D326 5 Bytes JMP 00330FCD
.text C:\Windows\Explorer.EXE[3600] msvcrt.dll!_wopen 76C2D501 5 Bytes JMP 00330018
.text C:\Windows\Explorer.EXE[3600] WS2_32.dll!socket 778336D1 3 Bytes JMP 030F000A
.text C:\Windows\Explorer.EXE[3600] WS2_32.dll!socket + 4 778336D5 1 Byte [8B]
.text C:\Windows\Explorer.EXE[3600] WININET.dll!InternetOpenA 7732D47D 5 Bytes JMP 03530FE5
.text C:\Windows\Explorer.EXE[3600] WININET.dll!InternetOpenW 7732D7DA 5 Bytes JMP 03530FD4
.text C:\Windows\Explorer.EXE[3600] WININET.dll!InternetOpenUrlA 7732FE4B 5 Bytes JMP 03530000
.text C:\Windows\Explorer.EXE[3600] WININET.dll!InternetOpenUrlW 77379139 5 Bytes JMP 03530FAF

---- EOF - GMER 1.0.15 ----

Edited by jollyrancher, 07 June 2010 - 06:18 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 AM

Posted 07 June 2010 - 06:33 PM

Interesting that no rootkit has been found.

The bad image is a problem that a previous rootkit liked to cause.


Please run Combofix and let's see what is causing it.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 jollyrancher

jollyrancher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 08 June 2010 - 08:29 AM

Hi M0le,

I disabled my anti virus programs.Downloaded combofix to my desktop....Tried running the comfix.exe (regular mode) when it reaches to the box where it says "it will take 10 mins" this Message Pops-up:

Windows command processor has stopped working...
A problem caused the program to stop working correctly.Windows will close the program and notify you if a solution is available.

There was a close button at the end (I clicked on it) and it exit the combofix prog.

Note: I tried 4 times and got the same thing.

Edited by jollyrancher, 08 June 2010 - 08:37 AM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 AM

Posted 08 June 2010 - 04:27 PM

More suspicious...

Please run these two programs before trying Combofix again.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


And

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Posted Image
m0le is a proud member of UNITE

#10 jollyrancher

jollyrancher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 08 June 2010 - 05:16 PM

Ran both programs here's the results.Hopefully I did it right cause both provided short logs.


exehelper log

exeHelper by Raktor
Build 20100414
Run at 16:52:58 on 06/08/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--




rkill log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as SweetChocolateGirl on 06/08/2010 at 17:05:13.


Processes terminated by Rkill or while it was running:


C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\SweetChocolateGirl\Desktop\rkill.scr


Rkill completed on 06/08/2010 at 17:05:21.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 AM

Posted 08 June 2010 - 05:24 PM

Now run Combofix thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#12 jollyrancher

jollyrancher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 08 June 2010 - 07:29 PM

*Whew* Finally! cowboy.gif




ComboFix 10-06-08.02 - SweetChocolateGirl 06/08/2010 19:01:22.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.950 [GMT -5:00]
Running from: c:\users\SweetChocolateGirl\Desktop\ComFix.exe.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\SweetChocolateGirl\AppData\Roaming\.#

.
((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-09 00:11 . 2010-06-09 00:11 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-06-09 00:11 . 2010-06-09 00:11 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-09 00:11 . 2010-06-09 00:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-08 13:07 . 2010-06-08 13:07 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Avira
2010-06-02 12:21 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-01 21:19 . 2010-06-07 00:24 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-31 17:58 . 2010-05-31 17:58 -------- d-----w- c:\program files\TweetDeck
2010-05-31 17:22 . 2010-05-31 17:21 38784 ----a-w- c:\users\SweetChocolateGirl\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-31 17:22 . 2010-05-31 17:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-31 16:26 . 2010-05-31 23:14 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-31 16:18 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-31 13:22 . 2010-05-31 13:22 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\McAfee
2010-05-12 11:07 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 13:28 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 02:08 . 2010-05-10 02:13 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Nikon
2010-05-10 02:06 . 2010-05-10 02:06 49152 ----a-r- c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-05-10 02:04 . 2010-05-10 02:04 335872 ----a-r- c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2010-05-10 01:49 . 2010-05-10 02:13 -------- d-----w- c:\program files\Common Files\Nikon
2010-05-10 01:49 . 2010-05-10 01:49 -------- d-----w- c:\programdata\Nikon
2010-05-10 01:49 . 2010-05-10 01:49 -------- d-----w- c:\program files\Nikon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 12:33 . 2009-07-13 03:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-07 20:30 . 2010-02-07 23:50 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Skype
2010-06-07 17:50 . 2010-03-23 16:38 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Free Audio Editor
2010-06-07 15:38 . 2009-04-11 21:42 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\skypePM
2010-06-07 15:00 . 2009-02-03 21:43 -------- d-----w- c:\programdata\Microsoft Help
2010-06-07 00:59 . 2009-11-11 16:31 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-07 00:59 . 2009-11-11 16:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-05 13:04 . 2008-03-12 12:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 15:46 . 2010-03-26 20:45 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-05-31 23:57 . 2009-07-18 13:44 -------- d-----w- c:\program files\CCleaner
2010-05-31 17:35 . 2009-11-28 03:17 -------- d-----w- c:\program files\Microsoft
2010-05-31 16:51 . 2008-03-01 02:11 -------- d-----w- c:\program files\SpywareBlaster
2010-05-31 13:21 . 2009-08-31 02:48 -------- d-----w- c:\program files\McAfee
2010-05-31 13:21 . 2009-08-31 02:31 -------- d-----w- c:\programdata\McAfee
2010-05-26 03:06 . 2010-05-10 01:48 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-05-13 18:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-10 15:56 . 2010-02-16 03:30 -------- d-----w- c:\program files\Paltalk Messenger Interop
2010-05-10 13:28 . 2007-11-15 20:01 -------- d-----w- c:\program files\Java
2010-05-10 01:48 . 2010-05-10 01:48 -------- d-----w- c:\programdata\Ultima_T15
2010-05-10 01:48 . 2010-05-10 01:48 -------- d-----w- c:\programdata\Sync Schema
2010-05-10 01:48 . 2010-05-10 01:48 -------- d-----w- c:\programdata\EnterNHelp
2010-05-10 01:48 . 2003-03-19 17:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-05-10 01:45 . 2008-11-01 15:10 -------- d-----w- c:\program files\ArcSoft
2010-05-10 01:45 . 2007-11-15 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-26 12:57 . 2010-04-26 12:57 -------- d-----w- c:\program files\Common Files\Skype
2010-04-26 12:43 . 2010-04-26 12:43 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-23 14:08 . 2010-04-23 14:08 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-18 05:07 . 2010-04-18 05:07 -------- d-----w- c:\users\Guest\AppData\Roaming\Logitech
2010-04-14 19:50 . 2010-02-25 22:11 -------- d-----w- c:\program files\CoffeeCup Software
2010-04-14 15:58 . 2010-04-14 15:58 262144 ----a-w- c:\programdata\ntuser.dat
2010-04-14 15:58 . 2008-02-29 05:54 -------- d-----w- c:\programdata\Yahoo!
2010-04-14 15:58 . 2007-11-15 20:11 -------- d-----w- c:\program files\Yahoo!
2010-04-14 15:57 . 2008-02-29 05:54 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Yahoo!
2010-04-14 15:57 . 2010-01-21 18:51 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-12 00:12 . 2007-11-15 20:01 -------- d-----w- c:\program files\Common Files\Java
2010-04-10 21:01 . 2010-02-16 03:25 -------- d-----w- c:\program files\Paltalk Messenger
2008-03-02 22:05 . 2008-03-02 22:05 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-15 19:12 . 2007-11-15 19:06 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-28 2012912]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"LVCOMS"="c:\windows\system32\LVCOMS.EXE" [2002-12-10 127022]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2007-06-25 73728]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-10-09 44168]

c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2010-4-1 11554816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-25 18:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminatorUpdate

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 21:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 07:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:d2,b9,eb,31,66,3e,ca,01

R2 gupdate1caa3c9aa23bf7d;Google Update Service (gupdate1caa3c9aa23bf7d);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 133104]
R3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\DRIVERS\AVEOdcnt.sys [2008-05-27 171520]
R3 ldiskl;ldiskl;c:\users\SWEETC~1\AppData\Local\Temp\ldiskl.sys [x]
R3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\DRIVERS\p35u.sys [2002-12-10 116480]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-28 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-28 66632]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-28 12872]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 05:35]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 05:35]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-06-09 c:\windows\Tasks\User_Feed_Synchronization-{321BBE8D-79B9-443A-8738-E2E920A405E1}.job
- c:\windows\system32\msfeedssync.exe [2008-06-24 07:33]

2010-06-09 c:\windows\Tasks\User_Feed_Synchronization-{4E77E843-A643-42D9-AF53-6920163066FC}.job
- c:\windows\system32\msfeedssync.exe [2008-06-24 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\MGI\MGI PhotoSuite II\Temp\MGI00000.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\SweetChocolateGirl\AppData\Roaming\Mozilla\Firefox\Profiles\0b62o0mi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\SweetChocolateGirl\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\SweetChocolateGirl\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 19:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-863868791-3908032512-3369032223-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4752)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2010-06-08 19:16:00
ComboFix-quarantined-files.txt 2010-06-09 00:15

Pre-Run: 268,267,130,880 bytes free
Post-Run: 268,211,662,848 bytes free

- - End Of File - - 393FC3EB37B986B855FAB66E5A5ACCAE


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 AM

Posted 08 June 2010 - 07:44 PM

Okay, one more run of Combofix now (any problems use Rkill again first)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\users\SWEETC~1\AppData\Local\Temp\ldiskl.sys

Driver::
ldiskl


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 jollyrancher

jollyrancher
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:14 AM

Posted 08 June 2010 - 08:58 PM

Hiya M0le ,I was able to run the combo fix without any probs.


ComboFix 10-06-08.02 - SweetChocolateGirl 06/08/2010 20:23:38.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.963 [GMT -5:00]
Running from: c:\users\SweetChocolateGirl\Desktop\ComFix.exe.exe
Command switches used :: c:\users\SweetChocolateGirl\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\SWEETC~1\AppData\Local\Temp\ldiskl.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LDISKL
-------\Service_ldiskl


((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-09 01:34 . 2010-06-09 01:34 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-06-09 01:34 . 2010-06-09 01:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-09 01:34 . 2010-06-09 01:34 -------- d-----w- c:\users\Martumaa Ali\AppData\Local\temp
2010-06-09 01:34 . 2010-06-09 01:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-09 01:34 . 2010-06-09 01:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-09 01:20 . 2010-06-09 01:20 -------- d-----w- C:\32788R22FWJFW
2010-06-08 13:07 . 2010-06-08 13:07 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Avira
2010-06-02 12:21 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-01 21:19 . 2010-06-07 00:24 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-31 17:58 . 2010-05-31 17:58 -------- d-----w- c:\program files\TweetDeck
2010-05-31 17:22 . 2010-05-31 17:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-31 16:26 . 2010-05-31 23:14 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-31 16:18 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-31 13:22 . 2010-05-31 13:22 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\McAfee
2010-05-12 11:07 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 13:28 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 02:08 . 2010-05-10 02:13 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Nikon
2010-05-10 01:49 . 2010-05-10 02:13 -------- d-----w- c:\program files\Common Files\Nikon
2010-05-10 01:49 . 2010-05-10 01:49 -------- d-----w- c:\programdata\Nikon
2010-05-10 01:49 . 2010-05-10 01:49 -------- d-----w- c:\program files\Nikon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 12:33 . 2009-07-13 03:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-07 20:30 . 2010-02-07 23:50 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Skype
2010-06-07 17:50 . 2010-03-23 16:38 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Free Audio Editor
2010-06-07 15:38 . 2009-04-11 21:42 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\skypePM
2010-06-07 15:00 . 2009-02-03 21:43 -------- d-----w- c:\programdata\Microsoft Help
2010-06-07 00:59 . 2009-11-11 16:31 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-07 00:59 . 2009-11-11 16:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-05 13:04 . 2008-03-12 12:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 15:46 . 2010-03-26 20:45 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-05-31 23:57 . 2009-07-18 13:44 -------- d-----w- c:\program files\CCleaner
2010-05-31 17:35 . 2009-11-28 03:17 -------- d-----w- c:\program files\Microsoft
2010-05-31 17:21 . 2010-05-31 17:22 38784 ----a-w- c:\users\SweetChocolateGirl\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-31 16:51 . 2008-03-01 02:11 -------- d-----w- c:\program files\SpywareBlaster
2010-05-31 13:21 . 2009-08-31 02:48 -------- d-----w- c:\program files\McAfee
2010-05-31 13:21 . 2009-08-31 02:31 -------- d-----w- c:\programdata\McAfee
2010-05-26 03:06 . 2010-05-10 01:48 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-05-13 18:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-10 15:56 . 2010-02-16 03:30 -------- d-----w- c:\program files\Paltalk Messenger Interop
2010-05-10 13:28 . 2007-11-15 20:01 -------- d-----w- c:\program files\Java
2010-05-10 02:06 . 2010-05-10 02:06 49152 ----a-r- c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-05-10 02:04 . 2010-05-10 02:04 335872 ----a-r- c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2010-05-10 01:48 . 2010-05-10 01:48 -------- d-----w- c:\programdata\Ultima_T15
2010-05-10 01:48 . 2010-05-10 01:48 -------- d-----w- c:\programdata\Sync Schema
2010-05-10 01:48 . 2010-05-10 01:48 -------- d-----w- c:\programdata\EnterNHelp
2010-05-10 01:48 . 2003-03-19 17:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-05-10 01:45 . 2008-11-01 15:10 -------- d-----w- c:\program files\ArcSoft
2010-05-10 01:45 . 2007-11-15 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-26 12:57 . 2010-04-26 12:57 -------- d-----w- c:\program files\Common Files\Skype
2010-04-26 12:43 . 2010-04-26 12:43 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-23 14:08 . 2010-04-23 14:08 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-18 05:07 . 2010-04-18 05:07 -------- d-----w- c:\users\Guest\AppData\Roaming\Logitech
2010-04-14 19:50 . 2010-02-25 22:11 -------- d-----w- c:\program files\CoffeeCup Software
2010-04-14 15:58 . 2010-04-14 15:58 262144 ----a-w- c:\programdata\ntuser.dat
2010-04-14 15:58 . 2008-02-29 05:54 -------- d-----w- c:\programdata\Yahoo!
2010-04-14 15:58 . 2007-11-15 20:11 -------- d-----w- c:\program files\Yahoo!
2010-04-14 15:57 . 2008-02-29 05:54 -------- d-----w- c:\users\SweetChocolateGirl\AppData\Roaming\Yahoo!
2010-04-14 15:57 . 2010-01-21 18:51 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-12 00:12 . 2007-11-15 20:01 -------- d-----w- c:\program files\Common Files\Java
2010-04-10 21:01 . 2010-02-16 03:25 -------- d-----w- c:\program files\Paltalk Messenger
2008-03-02 22:05 . 2008-03-02 22:05 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-11-15 19:12 . 2007-11-15 19:06 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-28 2012912]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"LVCOMS"="c:\windows\system32\LVCOMS.EXE" [2002-12-10 127022]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2007-06-25 73728]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-10-09 44168]

c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2010-4-1 11554816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-25 18:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 21:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 07:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:d2,b9,eb,31,66,3e,ca,01

R2 gupdate1caa3c9aa23bf7d;Google Update Service (gupdate1caa3c9aa23bf7d);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 133104]
R3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\DRIVERS\AVEOdcnt.sys [2008-05-27 171520]
R3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\DRIVERS\p35u.sys [2002-12-10 116480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-28 12872]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-28 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-28 66632]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 05:35]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 05:35]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-06-09 c:\windows\Tasks\User_Feed_Synchronization-{321BBE8D-79B9-443A-8738-E2E920A405E1}.job
- c:\windows\system32\msfeedssync.exe [2008-06-24 07:33]

2010-06-09 c:\windows\Tasks\User_Feed_Synchronization-{4E77E843-A643-42D9-AF53-6920163066FC}.job
- c:\windows\system32\msfeedssync.exe [2008-06-24 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\MGI\MGI PhotoSuite II\Temp\MGI00000.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\SweetChocolateGirl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\SweetChocolateGirl\AppData\Roaming\Mozilla\Firefox\Profiles\0b62o0mi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\SweetChocolateGirl\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\SweetChocolateGirl\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-863868791-3908032512-3369032223-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3132)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2010-06-08 20:47:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-09 01:47
ComboFix2.txt 2010-06-09 00:16

Pre-Run: 267,910,782,976 bytes free
Post-Run: 267,444,023,296 bytes free

- - End Of File - - E8D4D34A40DAE99996D4AC6A37199A0F


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 AM

Posted 09 June 2010 - 02:53 PM

That looks good.

Please run an online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Please also let me know if there are any problems now.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users