Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Rootkit nczfjud.sys


  • This topic is locked This topic is locked
13 replies to this topic

#1 lawrencep

lawrencep

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 18 June 2010 - 11:50 AM

I run MBAM weekly and found a file--nczfjud.sys--that could not be removed. I also ran ESET and it found:

C:\simplex.exe Win32/Adware.Lifze application
C:\SDFix\apps\Process.exe Win32/PrcView application
C:\WINDOWS\apacakih.dll a variant of Win32/Cimag.CK trojan
Operating memory a variant of Win32/Cimag.CK trojan

I'm getting some random redirects and IE windows that will pop up and disappear.

Thanks for the help.

Patrick

DDS (Ver_09-02-01.01) - NTFSx86
Run by Patrick Lawrence at 16:08:28.04 on Sat 03/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.2143 [GMT -4:00]

AV: Total Protection for Small Business *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r205445\stacsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SONICW~1\SONICW~1\mantispm.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Patrick Lawrence\Desktop\Malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Matador] "c:\progra~1\sonicw~1\sonicw~1\mantispm.exe" -quiet
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Pando Media Booster] "c:\program files\pando networks\media booster\PMB.exe"
uRun: [DirectPlayerCore] "c:\program files\nbc direct\DirectPlayerCore.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\agent\Splash.exe"
mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233061058062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt4.7.0.566.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-28 201320]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-27 1664248]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2008-7-1 110592]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-11-11 451872]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2009-1-28 14144]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-8-5 29184016]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2009-1-28 169280]
R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-1-28 78640]
R2 SWAGENT;SonicWALL Agent Service;c:\program files\mcafee\managed virusscan\agent\swAgent.exe [2009-1-28 69632]
R2 Webcamera Plus Service;Webcamera Plus Service;c:\program files\ateksoft\webcamera plus\WebCamPlusSrv.exe [2009-2-5 46592]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-1-17 112128]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2009-2-5 11776]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-1-17 110080]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-1-28 23180]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
S3 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2009-1-28 144704]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2009-1-28 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2009-1-28 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2009-1-28 33832]

=============== Created Last 30 ================

2009-03-05 20:00 <DIR> --d----- C:\ComboFix
2009-03-05 17:19 <DIR> --d----- c:\program files\Trend Micro
2009-03-05 16:52 <DIR> a-dshr-- C:\cmdcons
2009-03-05 16:08 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-03-05 16:07 <DIR> --d----- c:\windows\ERUNT
2009-03-05 14:46 <DIR> --d----- C:\SDFix
2009-03-05 13:26 161,792 a------- c:\windows\SWREG.exe
2009-03-05 13:26 98,816 a------- c:\windows\sed.exe
2009-03-05 10:25 143,360 a------- c:\windows\system32\bcmwlapi.dll
2009-03-02 21:37 <DIR> --d----- c:\docume~1\patric~1\applic~1\GARMIN
2009-02-25 12:30 28 a------- c:\windows\pdf995.ini
2009-02-25 12:29 249,856 a------- c:\windows\system32\pdfmona.dll
2009-02-25 12:29 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-02-25 12:29 142 a------- c:\windows\wpd99.drv
2009-02-25 12:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2009-02-25 00:24 5,632 a------- c:\windows\system32\ptpusb.dll
2009-02-25 00:24 159,232 a------- c:\windows\system32\ptpusd.dll
2009-02-21 21:25 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-20 13:38 <DIR> --d----- c:\docume~1\patric~1\applic~1\LimeWire
2009-02-20 12:22 <DIR> --d----- c:\docume~1\patric~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-20 12:10 <DIR> --d----- c:\program files\Carbonite
2009-02-20 12:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Carbonite
2009-02-19 17:07 <DIR> --d----- c:\program files\Deskperience
2009-02-19 17:07 <DIR> --d----- c:\docume~1\patric~1\applic~1\Deskperience
2009-02-18 11:38 267,864 a----r-- C:\hpzids01.dll
2009-02-18 11:37 6,784 ac------ c:\windows\system32\dllcache\serscan.sys
2009-02-18 11:37 6,784 a------- c:\windows\system32\drivers\serscan.sys
2009-02-16 12:45 <DIR> --d----- c:\program files\IrfanView
2009-02-15 12:43 <DIR> --d----- c:\docume~1\patric~1\applic~1\TaxCut
2009-02-15 12:13 <DIR> --d----- c:\program files\PDF995
2009-02-15 12:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TaxCut
2009-02-15 12:10 <DIR> --d----- c:\program files\TaxCut08
2009-02-15 12:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Amazon
2009-02-13 10:56 <DIR> --d----- c:\docume~1\patric~1\applic~1\NBC Direct
2009-02-13 10:55 <DIR> --d----- c:\docume~1\patric~1\applic~1\IDM
2009-02-13 10:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-02-13 10:55 <DIR> --d----- c:\program files\Pando Networks
2009-02-13 10:55 <DIR> a-d----- c:\program files\NBC Direct
2009-02-13 10:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NBC Direct

==================== Find3M ====================

2009-03-13 23:23 2,098 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-03-05 10:25 2,670,592 a------- c:\windows\system32\WLBCGCBPRO731.DLL
2009-03-05 10:25 2,220,032 a------- c:\windows\system32\WLTRAY.EXE
2009-03-05 10:25 65,536 a------- c:\windows\system32\wltrynt.dll
2009-03-05 10:25 24,064 a------- c:\windows\system32\WLTRYSVC.EXE
2009-03-05 10:25 1,961,984 a------- c:\windows\system32\BCMWLTRY.EXE
2009-03-05 10:25 1,287,552 a------- c:\windows\system32\drivers\BCMWL5.SYS
2009-03-05 10:25 286,720 a------- c:\windows\system32\bcmwlu00.exe
2009-03-05 10:25 69,632 a------- c:\windows\system32\bcmwlpkt.dll
2009-03-05 10:25 33,664 a------- c:\windows\system32\drivers\BCMWLNPF.SYS
2009-03-05 10:25 815,104 a------- c:\windows\system32\BCMLogon.dll
2009-03-05 10:25 753,664 a------- c:\windows\system32\bcm1xsup.dll
2009-02-18 11:40 147,624 a------- c:\windows\hpoins21.dat
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-28 13:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-28 13:08 726,008 a------- c:\documents and settings\patrick lawrence\gotomypc_437.exe
2009-01-28 12:44 88 ---shr-- c:\docume~1\alluse~1\applic~1\F945FC7431.sys
2009-01-17 14:27 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-01-17 14:27 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-17 10:23 3,635 a------- c:\windows\system32\drivers\1028_Dell_LAT_FS5.mrk
2009-01-17 08:31 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 16:08:41.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:26 AM

Posted 23 June 2010 - 06:43 PM

Hi lawrencep,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.
  1. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 23 June 2010 - 09:07 PM

Thanks farbar.

Here's the MBAM log--it's clean, but that's happened before. I could reboot and it may show up again (at least that's what it's been doing the past week). Attached is the TDSSKiller log--clean, too.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4231

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/23/2010 9:41:38 PM
mbam-log-2010-06-23 (21-41-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 254788
Time elapsed: 57 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:26 AM

Posted 24 June 2010 - 01:18 AM

  1. Run GMER, uncheck all boxes but let the box next to Sections and C drive remain checked. Click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  3. Please run DDS and post a fresh DDS.txt and the Attach.txt


#5 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 24 June 2010 - 08:36 AM

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-24 08:23:33
Windows 5.1.2600 Service Pack 3
Running: f950l9mf.exe; Driver: C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\pwldapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP 9D8297B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP 9D82978E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP 9D8297CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP 9D8297E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP 9D8297A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP 9D829714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP 9D829728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP 9D829766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP 9D829750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP 9D82973C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP 9D82977A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP 9D8297FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 488B000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 488B0062
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 488B0F6D
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 488B0F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 488B0F9B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 488B0036
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 488B0F37
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 488B0073
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 488B00BF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 488B0F26
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 488B0F0B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 488B0047
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 488B0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 488B0F52
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 488B0025
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 488B0FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 488B00A4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 48890F92
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] msvcrt.dll!system 77C293C7 5 Bytes JMP 48890027
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 4889000C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 48890FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 48890FB7
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 48890FD2
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 488A0FC3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 488A004D
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 488A0FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 488A0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 488A0F86
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 488A0000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 488A0F97
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AA, D0]
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 488A0FB2
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 48880FEF
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0098005B
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00980040
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00980F72
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00980F83
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00980F9E
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00980080
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00980F2E
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009800BD
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009800AC
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00980F13
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00980025
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00980F4B
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00980FAF
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00980FC0
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0098009B
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00970FC0
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00970047
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0097001B
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00970FE5
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00970F8A
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00970FA5
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B7, 88] {MOV BH, 0x88}
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0097002C
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0096002E
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!system 77C293C7 5 Bytes JMP 0096001D
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960FD2
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960000
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00960FB7
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960FE3
.text C:\WINDOWS\system32\svchost.exe[320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A0009D
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00FA8
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00076
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A0005B
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F5F
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F70
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F3D
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A000D6
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00F22
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A0004A
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F8D
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F4E
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0047
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0098
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F001B
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F007D
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F0062
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FDB
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0F8B
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0FB0
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FC1
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0016
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FD2
.text C:\WINDOWS\system32\svchost.exe[432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 014A0FE5
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 014A0000
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 014A0011
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 014A002C
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00700F5C
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00700F77
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00700F94
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00700051
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700FC0
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00700F3F
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00700087
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007000C4
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007000B3
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007000D5
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00700FAF
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0070001B
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0070006C
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0070002C
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00700FDB
.text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00700098
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F003D
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0FAC
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F002C
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0011
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0069
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F0058
.text C:\WINDOWS\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0FD1
.text C:\WINDOWS\System32\svchost.exe[632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E004E
.text C:\WINDOWS\System32\svchost.exe[632] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E003D
.text C:\WINDOWS\System32\svchost.exe[632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0018
.text C:\WINDOWS\System32\svchost.exe[632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FCD
.text C:\WINDOWS\System32\svchost.exe[632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00700FEF
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00700F8A
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0070007F
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00700058
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00700FA5
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700036
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007000B0
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00700F68
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00700F3C
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00700F4D
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00700F2B
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00700047
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00700FD4
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00700F79
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0070001B
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007000CB
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0047
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0FA5
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0036
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F001B
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0FC0
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F0062
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0FDB
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0069
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E004E
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E000C
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E001D
.text C:\WINDOWS\System32\svchost.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 020E0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 020E0089
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 020E006E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 020E005D
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 020E0F9E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 020E0040
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 020E0F63
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 020E00AB
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 020E00F2
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 020E00D7
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 020E0103
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 020E0FAF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 020E0FDE
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 020E009A
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 020E002F
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [85]
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 020E0014
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 020E00C6
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 020D0FBC
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 020D005E
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 020D0FCD
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 020D0FDE
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 020D0FA1
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 020D0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 020D0043
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 020D001E
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 020C0FCA
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 020C0055
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 020C0FE5
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 020C0000
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 020C0044
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 020C0029
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 020B0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 020A0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 020A000A
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 020A001B
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 020A0FCA
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F55
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE004A
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F70
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0039
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FA1
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F1D
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE006F
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00A5
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE008A
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0EF1
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0028
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F44
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FB2
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F0C
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009A001B
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009A0F6F
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009A0FD4
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009A0F8A
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009A0FA5
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BA, 88]
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009A002C
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00990058
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 0099003D
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00990022
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00990FCD
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00990011
.text C:\WINDOWS\system32\services.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE009B
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE008A
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0FB2
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F64
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00AC
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00DB
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F42
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE00F6
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F8B
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0047
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F53
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40F6F
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F8A
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80F97
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FCD
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FBC
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\lsass.exe[1600] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0064
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0053
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0F79
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0F8A
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0FAF
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB009C
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F54
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0F28
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB00C1
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB0F0D
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0FDB
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0075
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FC0
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0011
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0F43
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA0F94
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA0025
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0FA5
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA0051
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0040
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F90FCD
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F9004E
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90033
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90FDE
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90018
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40078
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D4005D
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40F83
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40040
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40FA5
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F41
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D40089
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40F0B
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40F26
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40EF0
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40F94
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F5E
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40FC0
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40FDB
.text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D400A4
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30FC3
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D30F83
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30014
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D3004A
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D30FA8
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F3, 88]
.text C:\WINDOWS\system32\svchost.exe[1840] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30025
.text C:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20070
.text C:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2005F
.text C:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20033
.text C:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20044
.text C:\WINDOWS\system32\svchost.exe[1840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D2000C
.text C:\WINDOWS\system32\svchost.exe[1840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE009D
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0082
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE005B
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F66
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F55
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F44
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00D3
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FB9
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F72
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F8D
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930F9E
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FA1
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FCD
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FDE
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900036
.text C:\WINDOWS\system32\svchost.exe[1896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D50000
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D50093
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D50FA8
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D50FB9
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D5006C
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D50040
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D500C9
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D50F81
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D500FF
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D500E4
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D5011A
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D5005B
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D50FEF
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D500AE
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D5002F
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D50FDE
.text C:\WINDOWS\System32\svchost.exe[1984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D50F66
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02BF0FCA
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02BF0F6F
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02BF001B
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02BF0FE5
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02BF0F8A
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02BF0000
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02BF0FA5
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 8A]
.text C:\WINDOWS\System32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02BF002C
.text C:\WINDOWS\System32\svchost.exe[1984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02BE0045
.text C:\WINDOWS\System32\svchost.exe[1984] msvcrt.dll!system 77C293C7 5 Bytes JMP 02BE0FB0
.text C:\WINDOWS\System32\svchost.exe[1984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02BE0FD2
.text C:\WINDOWS\System32\svchost.exe[1984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02BE0FC1
.text C:\WINDOWS\System32\svchost.exe[1984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02BE000C
.text C:\WINDOWS\System32\svchost.exe[1984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1984] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02BC0FEF
.text C:\WINDOWS\System32\svchost.exe[1984] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02BC0FDE
.text C:\WINDOWS\System32\svchost.exe[1984] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02BC0014
.text C:\WINDOWS\System32\svchost.exe[1984] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02BC0FC3
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F66
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F77
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0F94
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0FA5
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F24
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F4B
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA009B
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F02
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0EE7
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0FC0
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA0076
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0F13
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C9005B
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C900AC
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C9009B
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP C89FEDE5
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90076
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80044
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80018
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80029
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F83
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005D
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0025
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00BA
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F68
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F4D
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E6
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0093
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0014
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[2596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00CB
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F9E
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029005B
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290040
.text C:\WINDOWS\System32\svchost.exe[2596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[2596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F90
.text C:\WINDOWS\System32\svchost.exe[2596] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E001B
.text C:\WINDOWS\System32\svchost.exe[2596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FB5
.text C:\WINDOWS\System32\svchost.exe[2596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[2596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E000A
.text C:\WINDOWS\System32\svchost.exe[2596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FC6
.text C:\WINDOWS\System32\svchost.exe[2596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\SearchIndexer.exe[3180] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F81
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0026006C
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0026005B
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F35
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F5C
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F09
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F24
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600C7
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0026004A
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260087
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0026001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260098
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350025
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0035006C
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0035005B
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00350036
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360053
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360042
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360011
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01170FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01170FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01170000
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01170011
.text C:\Program Files\Internet Explorer\iexplore.exe[3392] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01D5000A
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F8A
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A007F
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB6
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0047
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00C6
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00B5
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F48
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E1
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F37
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0058
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A00A4
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A002C
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0011
.text C:\WINDOWS\Explorer.EXE[3716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F63
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029006C
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029005B
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FC3
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[3716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029004A
.text C:\WINDOWS\Explorer.EXE[3716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F7F
.text C:\WINDOWS\Explorer.EXE[3716] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0F90
.text C:\WINDOWS\Explorer.EXE[3716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FBC
.text C:\WINDOWS\Explorer.EXE[3716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\Explorer.EXE[3716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\Explorer.EXE[3716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[3716] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3716] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0011
.text C:\WINDOWS\Explorer.EXE[3716] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0036
.text C:\WINDOWS\Explorer.EXE[3716] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 020B0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F75
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0026006A
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F86
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260F97
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F49
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F38
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600C7
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600EC
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260085
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260039
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600AC
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350043
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F86
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350F97
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360031
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360FA6
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FB7
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0036000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 009D0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 009D0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 009D0FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 009D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3868] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[4204] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F6F
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260064
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260047
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260025
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600A6
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F54
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002600D2
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600B7
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260F1E
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260036
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0026007F
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260F43
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350040
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350025
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0035006C
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0035005B
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360049
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360FBE
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FD9
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360038
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360011
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0117000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0117001B
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01170FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01170FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4444] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01D50000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F72
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270071
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F97
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0027004A
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FB2
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F35
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F46
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F10
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700A9
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270EFF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270039
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027000A
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F57
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FC3
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605164 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FDE
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270098
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360038
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360027
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FC8
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FE3
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FB7
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00370FB9
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00370051
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0037000A
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00370FD4
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00370F9E
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00370FE5
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00370036
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00370025
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 330B9D32 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 07170000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0E7E0000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0E7E0FE5
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0E7E0FC0
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0E7E0FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F5C
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F6D
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F7E
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260F9B
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260047
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260076
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F24
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002600AC
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F13
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260EF8
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F41
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0026002C
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0026001B
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260091
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350025
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350062
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350047
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00350036
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360011
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360F86
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FA1
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0116000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01160FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01160FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01160FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[5532] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01D20FEF
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F70
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F8B
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9C
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005B
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009D
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F55
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00CC
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F33
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00DD
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0080
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0036
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\dllhost.exe[5608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F44
.text C:\WINDOWS\system32\dllhost.exe[5608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F92
.text C:\WINDOWS\system32\dllhost.exe[5608] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FAD
.text C:\WINDOWS\system32\dllhost.exe[5608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FC8
.text C:\WINDOWS\system32\dllhost.exe[5608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\dllhost.exe[5608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029001D
.text C:\WINDOWS\system32\dllhost.exe[5608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F83
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0040
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A002F
.text C:\WINDOWS\system32\dllhost.exe[5608] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\dllhost.exe[5608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F1C
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F37
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F54
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260F6F
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260011
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260038
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260EF0
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260053
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260EBA
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260064
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260F80
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F01
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260EDF
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0035002C
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350FA2
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0035001B
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350069
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00350058
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350047
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0036003D
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] msvcrt.dll!system 77C293C7 5 Bytes JMP 0036002C
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FBC
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01150000
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0115001B
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0115002C
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01150FD1
.text C:\Program Files\Internet Explorer\iexplore.exe[6072] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01D40000
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002600BC
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 002600A1
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260090
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260073
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260047
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600D9
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F91
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F65
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600F4
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260123
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260058
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260FA2
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260036
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0026001B
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260F76
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350F72
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F83
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350F94
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0035001B
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360027
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360016
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FC1
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360F9C
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01170FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01170014
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01170025
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0117004A
.text C:\Program Files\Internet Explorer\iexplore.exe[6864] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01D70000

---- EOF - GMER 1.0.15 ----


MBER Log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


DDS.txt


DDS (Ver_09-02-01.01) - NTFSx86
Run by Patrick Lawrence at 9:31:09.57 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.1987 [GMT -4:00]

AV: Total Protection for Small Business *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r205445\stacsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Upromise\dca-ua.exe
C:\Program Files\Upromise\UpromiseTray.exe
C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\PROGRA~1\SONICW~1\SONICW~1\mantispm.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\NETGEAR GA511 Adapter\GA511.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Patrick Lawrence\Desktop\Malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100520073514.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\upromise\dca-bho.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files\upromise\upromisetoolbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Upromise Update] c:\program files\upromise\dca-ua.exe
uRun: [Upromise Tray] c:\program files\upromise\UpromiseTray.exe
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [Pando Media Booster] "c:\program files\pando networks\media booster\PMB.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Matador] "c:\progra~1\sonicw~1\sonicw~1\mantispm.exe" -quiet
uRun: [Google Update] "c:\documents and settings\patrick lawrence\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [PostCopy] c:\windows\system32\belkin\f5d5050\PostCopy.exe
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe" /LOGON
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga511s~1.lnk - c:\windows\installer\{52cad7c7-1e41-43fe-8613-ab9d79b2dbbc}\NewShortcut1.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233061058062
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.778.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\209\g2ax_winlogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-28 214664]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-27 1664248]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2008-7-1 110592]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-11-11 451872]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2009-1-28 14144]
R2 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2010-5-14 455944]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\lanpkt.sys [2003-12-25 8440]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2009-1-28 144704]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2009-1-28 282824]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2010-2-2 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-2-2 65856]
R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-1-28 78640]
R2 SWAGENT;SonicWALL Agent Service;c:\program files\mcafee\managed virusscan\agent\swAgent.exe [2009-1-28 202048]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-1-17 112128]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2009-2-5 11776]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-1-17 110080]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-1-28 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-1-28 35272]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-1-28 23180]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-1-20 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-9 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\adm8511.sys [2001-8-17 20160]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-2-10 401920]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-12-25 11237]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\209\g2ax_service.exe [2009-12-16 161144]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-1-28 34248]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-4 17408]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2009-11-2 1098968]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
S4 Webcamera Plus Service;Webcamera Plus Service;c:\program files\ateksoft\webcamera plus\WebCamPlusSrv.exe [2009-2-5 46592]

=============== Created Last 30 ================

2010-06-23 10:38 <DIR> --ds---- C:\Comfix
2010-06-18 13:16 77,312 a------- c:\windows\MBR.exe
2010-06-18 13:16 256,512 a------- c:\windows\PEV.exe
2010-06-18 13:15 <DIR> --d----- C:\ComboFix
2010-06-18 13:12 389,120 a------- c:\windows\system32\CF28410.exe
2010-06-17 13:47 <DIR> --d----- c:\program files\ESET
2010-06-16 23:50 <DIR> --d----- c:\program files\iPod
2010-06-16 23:50 <DIR> --d----- c:\program files\iTunes
2010-06-16 23:45 <DIR> --d----- c:\program files\Bonjour
2010-06-15 21:44 120 a------- c:\windows\Cbelohupofuyipid.dat
2010-06-15 21:44 0 a------- c:\windows\Tbipitok.bin
2010-06-15 21:43 8,192 ac------ c:\windows\system32\dllcache\changer.sys
2010-06-15 21:43 8,192 a------- c:\windows\system32\drivers\changer.sys
2010-06-15 21:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Update
2010-06-15 08:43 <DIR> --d----- c:\program files\Auslogics
2010-06-08 15:39 743,424 -c------ c:\windows\system32\dllcache\iedvtool.dll
2010-05-31 22:15 <DIR> --d----- C:\Avatar
2010-05-31 15:34 <DIR> --d----- C:\Star_Wars_A_NEW_HOPE
2010-05-31 13:21 <DIR> --d----- C:\A_NEW_HOPE
2010-05-31 12:46 <DIR> --d----- c:\program files\DVD Shrink

==================== Find3M ====================

2010-06-24 08:50 4,182 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-05-18 16:35 107,808 a------- c:\windows\system32\dns-sd.exe
2010-05-18 16:35 91,424 a------- c:\windows\system32\dnssd.dll
2010-05-12 09:40 562,205 a------- c:\windows\hpoins21.dat
2010-05-06 06:41 916,480 a------- c:\windows\system32\wininet.dll
2010-05-02 01:22 1,851,264 a------- c:\windows\system32\win32k.sys
2010-04-29 15:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 15:39 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-04-20 01:30 285,696 a------- c:\windows\system32\atmfd.dll
2010-04-19 20:47 3,062,048 a------- c:\windows\system32\usbaaplrc.dll
2010-03-31 00:16 99,176 a------- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 00:10 295,264 a------- c:\windows\system32\PresentationHost.exe
2010-03-26 10:16 168 ---shr-- c:\docume~1\alluse~1\applic~1\F945FC7431.sys
2010-03-19 14:56 336 a------- c:\program files\temp995.bat
2009-01-28 13:08 726,008 a------- c:\documents and settings\patrick lawrence\gotomypc_437.exe
2010-03-04 19:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 9:32:02.54 ===============

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:26 AM

Posted 24 June 2010 - 08:45 AM

Thanks for the logs.

It seems you have run ComboFix. Please attach the log of last run of ComboFix to your reply.

#7 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 24 June 2010 - 08:53 AM

There was no log the last time I ran it. It ran, rebooted my computer, started back up then crashed to blue screen. Want me to rerun it?

I re-ran it anyway. I see where the file was deleted the last time I ran it.

ComboFix 10-06-23.05 - Patrick Lawrence 06/24/2010 9:58.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.2630 [GMT -4:00]
Running from: c:\documents and settings\Patrick Lawrence\Desktop\Malware\Comfix.exe
AV: Total Protection for Small Business *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\nczfjud.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_nczfjud
-------\Service_nczfjud


((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-06-18 17:15 . 2010-06-18 18:25 -------- d-----w- C:\ComboFix
2010-06-18 17:12 . 2010-06-18 17:11 389120 ----a-w- c:\windows\system32\CF28410.exe
2010-06-18 11:23 . 2010-06-18 11:23 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-18 11:22 . 2010-06-18 11:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-18 11:21 . 2010-06-18 11:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2010-06-17 17:47 . 2010-06-17 17:47 -------- d-----w- c:\program files\ESET
2010-06-17 03:50 . 2010-06-17 03:50 -------- d-----w- c:\program files\iPod
2010-06-17 03:50 . 2010-06-17 03:51 -------- d-----w- c:\program files\iTunes
2010-06-17 03:45 . 2010-06-17 03:45 -------- d-----w- c:\program files\Bonjour
2010-06-17 03:37 . 2010-06-17 03:37 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-16 23:07 . 2010-06-16 23:07 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-06-16 01:44 . 2010-06-18 11:29 0 ----a-w- c:\windows\Tbipitok.bin
2010-06-16 01:44 . 2010-06-18 02:19 120 ----a-w- c:\windows\Cbelohupofuyipid.dat
2010-06-16 01:43 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-06-16 01:43 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-16 01:42 . 2010-06-16 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-06-15 12:43 . 2010-06-15 12:43 -------- d-----w- c:\program files\Auslogics
2010-06-09 01:10 . 2010-04-22 08:57 666112 ----a-w- c:\documents and settings\Patrick Lawrence\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll
2010-06-09 01:10 . 2010-06-09 01:10 348160 ----a-w- c:\documents and settings\Patrick Lawrence\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2010-06-08 19:39 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-01 02:15 . 2010-06-01 02:15 -------- d-----w- C:\Avatar
2010-05-31 19:34 . 2010-05-31 19:34 -------- d-----w- C:\Star_Wars_A_NEW_HOPE
2010-05-31 17:21 . 2010-05-31 17:21 -------- d-----w- C:\A_NEW_HOPE
2010-05-31 16:46 . 2010-05-31 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-05-31 16:46 . 2010-05-31 16:46 -------- d-----w- c:\program files\DVD Shrink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 13:50 . 2009-01-28 16:43 4182 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-06-24 13:50 . 2009-01-28 16:43 4182 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-06-24 12:47 . 2010-01-25 16:05 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\HPAppData
2010-06-17 03:50 . 2009-01-29 11:43 -------- d-----w- c:\program files\Common Files\Apple
2010-06-15 12:40 . 2009-02-03 22:18 -------- d-----w- c:\program files\CCleaner
2010-06-14 20:01 . 2009-08-20 14:36 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\vlc
2010-06-08 23:13 . 2009-01-27 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 17:38 . 2010-03-04 17:06 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\Nitro PDF
2010-06-08 14:42 . 2010-01-11 19:59 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\GoodSync
2010-06-03 03:07 . 2009-02-19 21:25 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\FileZilla
2010-05-21 16:48 . 2009-05-08 16:01 -------- d-----w- c:\program files\Citrix
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-17 01:07 . 2009-01-29 00:54 -------- d-----w- c:\program files\Siber Systems
2010-05-15 07:11 . 2009-01-17 12:46 -------- d-----w- c:\program files\Google
2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe
2010-05-13 19:03 . 2009-02-19 21:24 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-12 13:40 . 2010-04-07 12:32 562205 ----a-w- c:\windows\hpoins21.dat
2010-05-08 19:34 . 2009-02-13 14:56 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\NBC Direct
2010-05-07 19:18 . 2009-02-13 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-05-07 19:14 . 2009-01-27 12:08 0 ----a-w- c:\documents and settings\Patrick Lawrence\Local Settings\Application Data\WavXMapDrive.bat
2010-05-07 16:55 . 2010-05-07 16:55 255472 ----a-w- c:\documents and settings\Patrick Lawrence\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 10:41 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-25 16:16 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 21:00 . 2009-02-10 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 00:59 . 2009-04-27 18:04 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\Download Manager
2010-04-29 19:39 . 2009-02-10 02:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-02-10 02:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 02:18 . 2010-01-25 15:59 -------- d-----w- c:\documents and settings\Patrick Lawrence\Application Data\HpUpdate
2010-04-20 05:30 . 2008-04-25 16:16 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 00:47 . 2009-06-04 10:25 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 00:47 . 2009-01-29 11:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-03-26 14:16 . 2009-01-28 16:43 168 --sh--r- c:\documents and settings\All Users\Application Data\F945FC7431.sys
2010-03-26 14:16 . 2009-01-28 16:43 168 --sh--r- c:\documents and settings\All Users\Application Data\F945FC7431.sys
2010-03-19 18:56 . 2010-03-19 18:56 336 ----a-w- c:\program files\temp995.bat
.

((((((((((((((((((((((((((((( SnapShot@2010-06-18_18.22.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-24 13:32 . 2010-06-24 13:32 16384 c:\windows\Temp\Perflib_Perfdata_cc0.dat
+ 2010-06-24 12:36 . 2010-06-24 12:36 16384 c:\windows\Temp\Perflib_Perfdata_4c8.dat
+ 2010-06-24 12:36 . 2010-06-24 12:36 16384 c:\windows\Temp\Perflib_Perfdata_18c.dat
+ 2010-06-23 14:46 . 2010-06-23 14:46 16384 c:\windows\Temp\Perflib_Perfdata_128.dat
- 2008-04-25 16:16 . 2010-06-18 18:14 98142 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2010-06-23 22:43 98142 c:\windows\system32\perfc009.dat
+ 2009-11-07 05:07 . 2009-11-07 05:07 49488 c:\windows\system32\netfxperf.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2010-06-23 22:45 . 2010-06-23 22:45 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ea1b4fbde0e772748c6ac42d627cf684\UIAutomationProvider.ni.dll
+ 2010-06-23 22:54 . 2010-06-23 22:54 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\f46915dfc57bc7e49c5402e9b8f7ec18\System.Windows.Presentation.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\18729514178d458aa1225dd068718d4e\PresentationFontCache.ni.exe
+ 2010-06-23 22:44 . 2010-06-23 22:44 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\0375dfa28e2f6ef7e89df9edede4b83d\PresentationCFFRasterizer.ni.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2010-06-08 23:06 . 2010-06-08 23:06 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2008-04-25 16:16 . 2010-06-18 18:14 514518 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2010-06-23 22:43 514518 c:\windows\system32\perfh009.dat
+ 2009-11-07 05:07 . 2009-11-07 05:07 297808 c:\windows\system32\mscoree.dll
+ 2010-03-31 04:16 . 2010-03-31 04:16 130408 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll
+ 2010-06-08 23:06 . 2010-06-08 23:06 261632 c:\windows\assembly\temp\OX5CKRZ6EL\System.Transactions.dll
+ 2010-06-23 22:46 . 2010-06-23 22:46 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\b3a9fac9aea3ad913781fafbdcbb0cae\WindowsFormsIntegration.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\4131a3627fec69291dbaed236f30dc65\UIAutomationClient.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a10c2c7e38291c3ada631ad13e762818\PresentationFramework.Aero.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7579c76fa81eb309d3170b62467be58d\PresentationFramework.Luna.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bef0992fb684e71dbfab5c0a99316af\PresentationFramework.Classic.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2f6687d394813d760496f60acf046384\PresentationFramework.Royale.ni.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-11-07 05:06 . 2009-11-07 05:06 1130824 c:\windows\system32\dfshim.dll
+ 2009-11-09 04:25 . 2009-11-09 04:25 1935360 c:\windows\Installer\f07094.msp
+ 2010-06-08 23:06 . 2010-06-08 23:06 2933248 c:\windows\assembly\temp\9IQY5CKRZ7\System.Data.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d63164ac4ed5adabc6a1b0fdf07eee05\WindowsBase.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\d8549ce90b26cdc3071224ab6f020189\UIAutomationClientsideProviders.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\af217ef58e5558991f331d482c2bdba6\System.Printing.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\57abb757c1f38586390dcc63bf056322\ReachFramework.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\0095ba60255d4addaf5b8ebee697a027\PresentationUI.ni.dll
+ 2010-06-23 22:44 . 2010-06-23 22:44 1249280 c:\windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-06-23 22:44 . 2010-06-23 22:44 5279744 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-06-23 22:42 . 2010-06-23 22:42 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-06-23 22:44 . 2010-06-23 22:44 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
- 2009-03-17 13:44 . 2009-03-17 13:44 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
- 2010-06-08 23:06 . 2010-06-08 23:06 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-06-23 22:43 . 2010-06-23 22:43 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-03-31 05:23 . 2010-03-31 05:23 15638528 c:\windows\Installer\f070a0.msp
+ 2010-06-23 22:45 . 2010-06-23 22:45 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\560662ada034afb6ec78a152bd9a47b5\PresentationFramework.ni.dll
+ 2010-06-23 22:45 . 2010-06-23 22:45 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\9f5dff344ac6ac923b5ade8ba1ab9382\PresentationCore.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2008-11-10 00:10 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2008-11-10 00:10 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-10-07 81920]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-10-10 167936]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2009-11-02 856280]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2009-11-02 604888]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-11-02 2195160]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-11-02 430808]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-09-23 2921288]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Matador"="c:\progra~1\SONICW~1\SONICW~1\mantispm.exe" [2007-10-24 808208]
"Google Update"="c:\documents and settings\Patrick Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-02 133104]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-10 160592]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2010-01-21 28672]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-11-10 656696]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2010-05-11 476480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-17 178712]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-11-10 91448]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-09-25 184320]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-03-05 2220032]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-01 471040]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2010-01-21 331776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-10 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-11-11 950048]
GA511 Smart Wizard Utility.lnk - c:\windows\Installer\{52CAD7C7-1E41-43FE-8613-AB9D79B2DBBC}\NewShortcut1.exe [2009-3-17 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-12-16 13:32 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Patrick Lawrence^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Patrick Lawrence\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-10-23 17:31 326144 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScanAgent]
2006-10-20 13:33 176128 ----a-w- c:\program files\CardScan\CardScan\CardScanAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DirectPlayerCore]
2009-11-11 01:59 1150016 ----a-w- c:\program files\NBC Direct\DirectPlayerCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 17:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-09-17 04:02 150040 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-11-20 01:35 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-09-17 04:02 150040 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-10 01:36 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2008-12-01 21:24 483420 ----a-w- c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USCService]
2008-11-10 21:06 24576 ----a-w- c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
2008-09-26 13:35 145408 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Webcamera Plus Service"=2 (0x2)
"TomTomHOMEService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\\Program Files\\My XA Program\\cerhost.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Ateksoft\\WebCamera Plus\\WebCamPlusSrv.exe"=
"c:\\Program Files\\Ateksoft\\WebCamera Plus\\camviewer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Patrick Lawrence\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Patrick Lawrence\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Movie Maker\\moviemk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Patrick Lawrence\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59152:UDP"= 59152:UDP:SonicWALL Anti-Virus Compliance Port 59152
"59153:UDP"= 59153:UDP:SonicWALL Anti-Virus Compliance Port 59153
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"57723:TCP"= 57723:TCP:PandoRest Listening Port
"56715:TCP"= 56715:TCP:PMB P2P TCP Listening Port
"56715:UDP"= 56715:UDP:PMB P2P UDP Listening Port
"58686:TCP"= 58686:TCP:Pando Media Booster
"58686:UDP"= 58686:UDP:Pando Media Booster

R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [6/27/2008 3:47 PM 1664248]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [7/1/2008 8:57 PM 110592]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 7:28 PM 406808]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [11/11/2008 5:00 PM 451872]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [1/28/2009 11:53 AM 14144]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [1/28/2009 11:49 AM 282824]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [2/2/2010 1:35 PM 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2/2/2010 1:35 PM 65856]
R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [1/28/2009 12:15 PM 78640]
R2 SWAGENT;SonicWALL Agent Service;c:\program files\McAfee\Managed VirusScan\Agent\swAgent.exe [1/28/2009 11:54 AM 202048]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [1/17/2009 10:23 AM 112128]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2/5/2009 11:56 PM 11776]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/17/2009 10:24 AM 110080]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [1/28/2009 12:14 PM 23180]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [1/20/2010 9:23 PM 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/9/2009 4:50 PM 133104]
S2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\lanpkt.sys [12/25/2003 11:53 AM 8440]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\adm8511.sys [8/17/2001 12:11 PM 20160]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/10/2010 8:11 PM 401920]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [12/25/2003 11:53 AM 11237]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe [12/16/2009 9:32 AM 161144]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/4/2009 6:25 AM 17408]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [11/2/2009 2:17 PM 1098968]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
S4 Webcamera Plus Service;Webcamera Plus Service;c:\program files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe [2/5/2009 11:56 PM 46592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-10 01:36]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 20:50]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 20:50]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-74630048-1166971615-2418580888-1005Core.job
- c:\documents and settings\Patrick Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-02 03:43]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-74630048-1166971615-2418580888-1005UA.job
- c:\documents and settings\Patrick Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-02 03:43]

2010-06-24 c:\windows\Tasks\User_Feed_Synchronization-{2B2F2C7F-96B1-4D8E-A3F2-3FAEFA50E940}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-24 10:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1548)
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll

- - - - - - - > 'lsass.exe'(1612)
c:\windows\system32\wvauth.dll

- - - - - - - > 'explorer.exe'(5384)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-24 10:04:52
ComboFix-quarantined-files.txt 2010-06-24 14:04
ComboFix2.txt 2010-06-18 18:25
ComboFix3.txt 2009-03-06 00:07
ComboFix4.txt 2009-03-05 20:59
ComboFix5.txt 2010-06-23 13:50

Pre-Run: 10,979,848,192 bytes free
Post-Run: 11,055,280,128 bytes free

- - End Of File - - 12D29828B7D21A83B898DC0799D0AFE9

Edited by lawrencep, 24 June 2010 - 09:17 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:26 AM

Posted 24 June 2010 - 11:20 AM

The rootkit is removed in the last run of ComboFix. It surprises me.

Have you configured Internet Explorer for the following settings:

CODE
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    Java™ 6 Update 11
    Java™ 6 Update 7



  2. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

Edited by farbar, 24 June 2010 - 04:38 PM.
spelling


#9 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 24 June 2010 - 04:34 PM

Updated to Java 6u20, couldn't get rid of 6u7 but I'll keep working on that.

Results from ESET Scan

C:\Qoobox\Quarantine\C\WINDOWS\apacakih.dll.vir a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_nczfjud_.sys.zip Win32/Bubnix.AO trojan deleted - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0093322.sys Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0093372.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:26 AM

Posted 24 June 2010 - 04:45 PM

Actually Eset found nothing but those malware files already removed and quarantined by ComboFix (C:\Qoobox\Quarantine folder) and those in System Volume Information folder where the restore points are kept. We would emptied those folders anyway at the end.

  1. To uninstall old Java download the trial version of Your Uninstaller! (Free Fix)
      Install it and run it.
      Under Modules select Uninstaller.
      Highlight Java™ 6 Update 7 and press Uninstall.
      It might give you an error, proceed anyway and it eventually removes the software.
      Let it remove all the files and folders and anything it founds.

  2. Run GMER, uncheck all boxes but let the box next to Registry and C drive remain checked. Click Scan.
    When it finished press Save to save the log and post it to your reply.




#11 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 24 June 2010 - 10:30 PM

Your Uninstaller removed the old Java. GMER said it didn't find any system modifications--there was no log file.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:26 AM

Posted 25 June 2010 - 04:57 AM

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You may delete any tool or log we used from your computer.


Happy Surfing lawrencep. smile.gif


#13 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 25 June 2010 - 08:34 AM

Thank you very much for your help.

Patrick

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:26 AM

Posted 25 June 2010 - 08:37 AM

You are very welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users