Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websearch Hijacked, and IE Tabs Die and Recover


  • This topic is locked This topic is locked
8 replies to this topic

#1 Klamis

Klamis

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 17 November 2010 - 12:54 AM

Hi,

My websearch is hijacked. Everytime I click on a search item in Google my browser opens a spam site. It also once opened a site that sent four trojans to my computer that McAfee delete instantly. After I found my system to be hijacked I scanned with McAfee VirusScan Enterprise and found two trojans, which I believe are both called Generic Downloader.z. I pulled the name straight from McAfee's log. I also downloaded Malwarebytes, ran a full scan, and it found a registry value infected "forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully" and a file infected "C:\Windows\Tasks\Acrobat Update.job (Malware.Trace) -> Quarantined and deleted successfully".

Now not only is the websearch hijacked, IE 8 tabs now sometime stops working and have to be recovered. Also, I received two Blue Screens of Death. Both stated a driver is causing the issue, but, unfortunately, I did not copy all of the information down to repeat it here.

I appreciate all the assistance you can provide to fix this issue.

Thanks, Kevin


DDS (Ver_10-11-10.01) - NTFSx86
Run by 3878 at 23:06:19.10 on Tue 11/16/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2996.1711 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\wininit.exe
C:\WINDOWS\system32\lsm.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\WLANExt.exe
C:\WINDOWS\system32\conhost.exe
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\taskeng.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k WbioSvcGroup
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\safeboot\SbClientManager.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\WINDOWS\system32\CISVC.EXE
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\Lotus\Notes\nsd.exe
C:\Program Files\Lotus\Notes\nslsvice.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k regsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Lenovo\Access Connections\AcSvc.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\WINDOWS\system32\conhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\WINDOWS\system32\conhost.exe
C:\WINDOWS\system32\taskhost.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\WINDOWS\system32\Dwm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\Access Connections\ACTray.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\safeboot\SbTokWatch.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MindMovies\Subliminal\SubVid.exe
C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
C:\Users\3878\Desktop\dds.scr
C:\WINDOWS\system32\conhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.itv-f1.com/home.aspx
uDefault_Page_URL = hxxp://www.lawson.com/
uInternet Settings,ProxyServer = pvs02.peacehealth.org:80
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SubVid] "c:\program files\mindmovies\subliminal\SubVid.exe" /startup
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exe
mRun: [ACTray] c:\program files\lenovo\access connections\ACTray.exe
mRun: [LENOVO.TPKNRRES] c:\program files\lenovo\communications utility\TPKNRRES.exe
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [SafeBootTokenWatcher] "c:\program files\safeboot\SbTokWatch.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [RotateImage] c:\program files\integrated camera driver\RCIMGDIR.exe
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
StartupFolder: c:\users\3878\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\jungle~1.lnk - c:\program files\jungle disk desktop\JungleDiskMonitor.exe
uPolicies-explorer: DisallowCpl = 2 (0x2)
uPolicies-explorer: HideSCAHealth = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: force.com
Trusted Zone: lawson.com\password
Trusted Zone: salesforce.com
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://vpn.us.lawson.com/vdesk/terminal/urxvpn.cab#version=6031,2009,1010,313
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn.us.lawson.com/vdesk/terminal/f5tunsrv.cab#version=6031,2009,1010,310
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://vpn.us.lawson.com/vdesk/terminal/InstallerControl.cab#version=6031,2009,1010,0312
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vpn.us.lawson.com/vdesk/terminal/urxshost.cab#version=6031,2009,1010,308
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://lawsonsupport.webex.com/client/T26L/support/ieatgpc1.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn.us.lawson.com/vdesk/terminal/urxhost.cab#version=6031,2009,1010,304
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
LSA: Notification Packages = SbNp scecli ACGina c:\program files\thinkvantage fingerprint software\psqlpwd.dll
mASetup: >{Z-DesktopBackground} - reg add "HKCU\Control Panel\Desktop" /v Wallpaper /d "c:\windows\web\wallpaper\windows\background.jpg" /f

============= SERVICES / DRIVERS ===============

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-7-15 24304]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-6-10 343920]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2008-8-13 44976]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-11-24 6496]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2010-6-16 20592]
R1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-11-11 267208]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-7-6 13480]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2009-11-24 33328]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2009-11-24 34480]
R1 SbRegFlt;SbRegFlt;c:\windows\system32\drivers\SbRegFlt.sys [2009-11-24 14664]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-8-6 20360]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-7-19 132456]
R2 JungleDiskService;JungleDiskService;c:\program files\jungle disk desktop\JungleDiskMonitor.exe [2010-9-24 7199232]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\communications utility\CamMute.exe [2010-7-19 50536]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-7-6 45496]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\lenovo\communications utility\TPKNRSVC.exe [2010-7-19 74088]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\lotus\notes\nsd.exe [2008-12-6 3315080]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-6-1 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-6-10 70728]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-11-12 632792]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2009-11-24 380988]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-7-6 63928]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-7-19 2533400]
R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-7-19 127232]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-11-11 215208]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-11-11 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-11-11 247808]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-10 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-10 43288]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2010-7-14 6814720]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpnwlh.sys [2009-10-9 34944]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2010-6-10 13952]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-10 66600]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-3-17 6758912]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-7-6 58880]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-7-6 137728]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-7-15 75112]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-7-6 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-7-6 38912]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-16 1343400]

=============== Created Last 30 ================

2010-11-12 14:44:48 -------- d-----w- c:\users\3878\appdata\roaming\Registry Mechanic
2010-11-12 14:30:47 -------- d-----w- c:\progra~2\PC Tools
2010-11-12 14:30:42 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-11-12 14:30:42 506368 ----a-w- c:\windows\system32\msxml.dll
2010-11-12 14:30:42 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-11-12 14:30:42 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-11-12 14:30:42 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-11-12 14:30:21 -------- d-----w- c:\program files\common files\PC Tools
2010-11-12 06:39:35 3181568 ----a-w- c:\windows\system32\mf.dll
2010-11-12 06:39:35 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-11-12 06:39:34 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-11-12 06:38:38 804864 ----a-w- c:\windows\system32\FntCache.dll
2010-11-12 06:38:38 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-11-12 06:38:38 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2010-11-12 06:38:37 737280 ----a-w- c:\windows\system32\d2d1.dll
2010-11-12 06:38:37 1076224 ----a-w- c:\windows\system32\DWrite.dll
2010-11-12 06:37:43 279552 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-11-12 06:37:43 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-11-12 06:36:39 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2010-11-12 06:34:42 -------- d-----w- c:\program files\Feedback Tool
2010-11-12 05:53:17 -------- d-----w- c:\progra~2\JungleDisk
2010-11-12 05:53:13 216856 ----a-w- c:\windows\system32\CbFsNetRdr3.dll
2010-11-12 05:53:13 155416 ----a-w- c:\windows\system32\CbFsMntNtf3.dll
2010-11-12 05:53:12 267208 ----a-w- c:\windows\system32\drivers\cbfs3.sys
2010-11-12 05:53:08 -------- d-----w- c:\program files\Jungle Disk Desktop
2010-11-12 01:19:26 -------- d-----w- c:\users\3878\appdata\roaming\Malwarebytes
2010-11-12 01:19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 01:19:12 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-12 01:19:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 01:19:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:40:13 196608 ----a-w- c:\windows\system32\wwanconn.dll
2010-11-11 19:00:58 435736 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-11-11 18:58:16 -------- d-----w- c:\program files\Cisco
2010-11-11 18:52:11 486016 ----a-w- c:\windows\system32\drivers\CHDRT32.sys
2010-11-11 18:51:48 256712 ----a-w- c:\windows\system32\PROUnstl.exe
2010-11-11 18:51:23 215208 ----a-w- c:\windows\system32\drivers\e1k6232.sys
2010-11-11 18:47:59 171032 ----a-w- c:\windows\system32\SETAF25.tmp
2010-11-11 18:47:59 11040256 ----a-w- c:\windows\system32\ig4icd32.dll
2010-11-11 18:47:58 3156504 ----a-w- c:\windows\system32\GfxUI.exe
2010-11-11 18:47:58 120320 ----a-w- c:\windows\system32\gfxSrvc.dll
2010-11-11 18:45:50 -------- d-----w- C:\SWTOOLS
2010-11-11 17:27:05 -------- d-----w- c:\windows\system32\appmgmt
2010-11-11 05:54:49 110080 --sha-r- c:\windows\system32\setvero.dll
2010-11-11 05:53:20 116736 ------w- c:\windows\system32\drivers\mcdbus.sys
2010-11-11 05:53:18 -------- d-----w- c:\program files\MagicDisc
2010-11-11 05:33:55 57832 ------w- c:\windows\system32\ptdllrun1.exe
2010-10-26 21:29:41 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-10-26 21:29:41 417792 ----a-w- c:\windows\system32\msdri.dll
2010-10-26 21:29:40 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-10-26 21:29:40 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-10-26 21:29:26 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys

==================== Find3M ====================

2010-09-08 16:17:46 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ------w- c:\windows\system32\QuickTime.qts
2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-04 19:30:52 8198680 ----a-w- c:\windows\system32\TVWSetup.exe
2010-09-04 19:30:48 136216 ----a-w- c:\windows\system32\igfxtray.exe
2010-09-04 19:30:46 266776 ----a-w- c:\windows\system32\SETA59D.tmp
2010-09-04 19:30:44 170520 ----a-w- c:\windows\system32\igfxpers.exe
2010-09-04 19:30:42 179224 ----a-w- c:\windows\system32\SETC3B7.tmp
2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 02:15:54 12288 ----a-w- c:\windows\system32\SETB379.tmp
2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 10:39:44 81920 ----a-w- c:\windows\system32\igfxCoIn_v2202.dll
2010-08-26 10:31:28 4967424 ----a-w- c:\windows\system32\igdumd32.dll
2010-08-26 10:30:00 127868 ----a-w- c:\windows\system32\igcompkrng575.bin
2010-08-26 10:29:58 870560 ----a-w- c:\windows\system32\igkrng575.bin
2010-08-26 10:29:58 104796 ----a-w- c:\windows\system32\igfcg575m.bin
2010-08-26 10:28:20 571904 ----a-w- c:\windows\system32\igdumdx32.dll
2010-08-26 10:23:12 4411904 ----a-w- c:\windows\system32\igd10umd32.dll
2010-08-26 09:59:58 23552 ----a-w- c:\windows\system32\igfxexps.dll
2010-08-26 09:59:58 194560 ----a-w- c:\windows\system32\igfxpph.dll
2010-08-26 09:59:56 261632 ----a-w- c:\windows\system32\igfxTMM.dll
2010-08-26 09:59:56 115200 ----a-w- c:\windows\system32\igfxcpl.cpl
2010-08-26 09:59:40 57344 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-08-26 09:59:22 130048 ----a-w- c:\windows\system32\igfxdo.dll
2010-08-26 09:59:14 94720 ----a-w- c:\windows\system32\hccutils.dll
2010-08-26 09:59:06 4096 ----a-w- c:\windows\system32\IGFXDEVLib.dll
2010-08-26 09:59:04 85504 ----a-w- c:\windows\system32\SETCDCD.tmp
2010-08-26 09:59:04 828928 ----a-w- c:\windows\system32\igfxress.dll
2010-08-26 09:59:04 228864 ----a-w- c:\windows\system32\igfxdev.dll
2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll
2010-08-21 05:36:33 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-21 05:36:24 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-21 05:33:24 530432 ----a-w- c:\windows\system32\comctl32.dll
2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: TOSHIBA_ rev.PS11 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: >>UNKNOWN [0x82A52000]<< >>UNKNOWN [0x8AE00000]<< >>UNKNOWN [0x8B5DD000]<< >>UNKNOWN [0x8AEA9000]<< >>UNKNOWN [0x82A1B000]<< >>UNKNOWN [0x8B025000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x82A8E458] -> \Device\Harddisk0\DR0[0x87BEB030]
\Driver\Disk[0x87BEA030] -> IRP_MJ_CREATE -> 0x8AE0439F
3 [0x8AE0459E] -> ntkrnlpa!IofCallDriver[0x82A8E458] -> [0x86057AE0]
\Driver\ACPI[0x853EE1B8] -> IRP_MJ_CREATE -> 0x8AEB24AA
5 [0x8AEB23B2] -> ntkrnlpa!IofCallDriver[0x82A8E458] -> \Device\Ide\IAAStorageDevice-1[0x86091028]
\Driver\iaStor[0x86052910] -> IRP_MJ_CREATE -> 0x8B04BE36
kernel: MBR read successfully
_asm { CLI ; JMP 0x26; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 23:08:16.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:29 AM

Posted 25 November 2010 - 12:28 AM

Hello, Klamis.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for :)
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  • Please download DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  • When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
    **Note: It is zipped into a .RAR file. If you do not have a .RAR extractor, you can get one for free here
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:29 AM

Posted 28 November 2010 - 01:15 AM

Hello Klamis
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 Klamis

Klamis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 29 November 2010 - 11:54 PM

Yes, I'm still here. Sorry, ate too much turkey this weekend! :)

Hey, I'm trying to run Defogger and I get a "You must be an administrator to use Defogger". I am an admin on this computer and I even right click Defogger, choose "run as an administrator", and it still does not run . Is there something I'm missing?

By the way, thank you for helping me!

#5 Klamis

Klamis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 30 November 2010 - 12:18 AM

Logfile of random's system information tool 1.08 (written by random/random)
Run by 3878 at 2010-11-29 22:55:58
Microsoft Windows 7 Enterprise
System drive C: has 163 GB (69%) free of 238 GB
Total RAM: 2996 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:56:39 PM, on 11/29/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\WINDOWS\system32\taskhost.exe
C:\WINDOWS\system32\Dwm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Lenovo\Access Connections\ACTray.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\safeboot\SbTokWatch.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MindMovies\Subliminal\SubVid.exe
C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Users\3878\Desktop\RSIT.exe
C:\Program Files\trend micro\3878.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lawson.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itv-f1.com/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lawson.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lawson.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pvs02.peacehealth.org:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [AcWin7Hlpr] C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\Lenovo\Access Connections\ACTray.exe
O4 - HKLM\..\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
O4 - HKLM\..\Run: [SafeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"
O4 - HKLM\..\Run: [SafeBootTokenWatcher] "C:\Program Files\safeboot\SbTokWatch.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [RotateImage] C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SubVid] "C:\Program Files\MindMovies\Subliminal\SubVid.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Jungle Disk Desktop.lnk = C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.us.lawson.com/vdesk/terminal/urxvpn.cab#version=6031,2009,1010,313
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://vpn.us.lawson.com/vdesk/terminal/f5tunsrv.cab#version=6031,2009,1010,310
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vpn.us.lawson.com/vdesk/terminal/InstallerControl.cab#version=6031,2009,1010,0312
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.us.lawson.com/vdesk/terminal/urxshost.cab#version=6031,2009,1010,308
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lawsonsupport.webex.com/client/T26L/support/ieatgpc1.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.us.lawson.com/vdesk/terminal/urxhost.cab#version=6031,2009,1010,304
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corpnet.lawson.com
O17 - HKLM\Software\..\Telephony: DomainName = corpnet.lawson.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corpnet.lawson.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corpnet.lawson.com
O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll
O22 - SharedTaskScheduler: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll
O23 - Service: AcPrfMgrSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
O23 - Service: AcSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\WINDOWS\system32\atashost.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JungleDiskService - Jungle Disk, Inc. - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Lenovo Keyboard Noise Reduction (LENOVO.TPKNRSVC) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
O23 - Service: Lenovo Auto Scroll (Lenovo.VIRTSCRLSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: Lotus Notes Diagnostics - IBM - C:\Program Files\Lotus\Notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\Lotus\Notes\nslsvice.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - McAfee, Inc. - C:\Program Files\safeboot\SbClientManager.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

--
End of file - 14336 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\ONXQ.job
C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
C:\WINDOWS\tasks\RMSchedule.job
C:\WINDOWS\tasks\SystemToolsDailyTest.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FF49FE8-B332-4CB9-B102-FB6951629E55}]
Virtual Storage Mount Notification - C:\WINDOWS\system32\CbFsMntNtf3.dll [2010-06-09 155416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll [2010-01-06 67120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-10 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2010-01-06 124240]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2010-04-22 1725736]
"ConnectionCenter"=C:\Program Files\Citrix\ICA Client\concentr.exe [2009-09-12 103768]
""= []
"TpShocks"=C:\WINDOWS\system32\TpShocks.exe [2010-07-01 337256]
"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2010-07-27 69560]
"PWMTRV"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor []
"AcWin7Hlpr"=C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe [2010-09-17 31592]
"ACTray"=C:\Program Files\Lenovo\Access Connections\ACTray.exe [2010-09-17 431464]
"LENOVO.TPKNRRES"=C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [2010-07-27 62312]
"SafeBootTrayManager"=C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe [2009-08-19 69632]
"SafeBootTokenWatcher"=C:\Program Files\safeboot\SbTokWatch.exe [2009-11-24 172092]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\udaterui.exe [2010-06-01 140608]
"SmartAudio"=C:\Program Files\CONEXANT\SAII\SAIICpl.exe [2009-11-16 307768]
"IMSS"=C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [2010-05-03 112152]
"RotateImage"=C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe [2008-10-30 31744]
"Mobile Connectivity Suite"=C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe [2009-11-19 598016]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2010-09-04 136216]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2009-12-31 175640]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2010-09-04 170520]
"SSDMonitor"=C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe [2010-09-16 104408]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-11-11 421160]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-07-13 1173504]
"SubVid"=C:\Program Files\MindMovies\Subliminal\SubVid.exe [2008-09-16 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2010-11-11 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe [2010-04-02 55048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
C:\PROGRA~1\ThinkPad\BLUETO~1\BTTray.exe [2009-10-02 795936]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Jungle Disk Desktop.lnk - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe

C:\Users\3878\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2010-08-26 228864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll [2010-04-02 100104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll [2010-06-09 155416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll [2010-06-09 155416]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=SbNp
scecli
C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll
ACGina

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\atashost]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=1
"legalnoticecaption"=WARNING NOTICE:
"legalnoticetext"=You are about to enter a Private Network that is intended for the authorized use of Lawson Software, Inc., its affiliate companies (the Company), and users authorized by the Company for business purposes only (Code of Conduct can be located by following this link: http://www.lawson.com/wcw.nsf/pub/IR_21905C) The actual or attempted unauthorized access, use, or modification of this network is strictly prohibited by the Company. Unauthorized users and/or unauthorized
use are subject to Company disciplinary proceedings and/or civil penalties in accordance with applicable domestic and foreign laws. Where authorized by law, the use of this system may be monitored and recorded for administrative and security reasons. If such monitoring and/or recording reveals possible evidence of criminal activity, the Company may provide the monitored evidence of such activity to law enforcement officials.
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"DisallowCpl"=2
"HideSCAHealth"=1
"NoDriveTypeAutoRun"=145
"NoWindowsUpdate"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-11-29 22:55:58 ----D---- C:\rsit
2010-11-29 22:55:58 ----D---- C:\Program Files\trend micro
2010-11-21 19:02:24 ----D---- C:\Program Files\Mozilla Firefox 4.0 Beta 7
2010-11-20 17:24:16 ----A---- C:\WINDOWS\system32\drivers\usbhub.sys
2010-11-20 17:24:16 ----A---- C:\WINDOWS\system32\drivers\usbehci.sys
2010-11-20 16:44:59 ----D---- C:\ProgramData\PCDr
2010-11-20 16:44:59 ----D---- C:\ProgramData\PC-Doctor for Windows
2010-11-20 16:44:12 ----D---- C:\Program Files\PC-Doctor
2010-11-20 16:27:24 ----A---- C:\sfcdetails.txt
2010-11-18 21:50:46 ----D---- C:\ProgramData\FLEXnet
2010-11-18 01:22:36 ----D---- C:\Program Files\Common Files\PX Storage Engine
2010-11-18 01:15:35 ----D---- C:\Program Files\Adobe Media Player
2010-11-18 01:13:36 ----D---- C:\Program Files\Common Files\Adobe AIR
2010-11-18 01:09:35 ----D---- C:\Program Files\uTorrent
2010-11-18 01:08:10 ----D---- C:\Users\3878\AppData\Roaming\uTorrent
2010-11-18 01:04:51 ----D---- C:\Program Files\Common Files\Macrovision Shared
2010-11-17 08:25:59 ----D---- C:\Program Files\iPod
2010-11-17 08:25:58 ----D---- C:\Program Files\iTunes
2010-11-12 08:44:48 ----D---- C:\Users\3878\AppData\Roaming\Registry Mechanic
2010-11-12 08:30:47 ----D---- C:\ProgramData\PC Tools
2010-11-12 08:30:42 ----A---- C:\WINDOWS\system32\msxml.dll
2010-11-12 08:30:42 ----A---- C:\WINDOWS\system32\CleanMFT32.exe
2010-11-12 08:30:21 ----D---- C:\Program Files\Common Files\PC Tools
2010-11-12 08:30:19 ----D---- C:\Program Files\Registry Mechanic
2010-11-12 08:30:19 ----AD---- C:\ProgramData\TEMP
2010-11-12 00:39:35 ----A---- C:\WINDOWS\system32\mfreadwrite.dll
2010-11-12 00:39:35 ----A---- C:\WINDOWS\system32\mf.dll
2010-11-12 00:39:34 ----A---- C:\WINDOWS\system32\WMVDECOD.DLL
2010-11-12 00:38:38 ----A---- C:\WINDOWS\system32\FntCache.dll
2010-11-12 00:38:38 ----A---- C:\WINDOWS\system32\d3d10warp.dll
2010-11-12 00:38:38 ----A---- C:\WINDOWS\system32\d3d10_1core.dll
2010-11-12 00:38:37 ----A---- C:\WINDOWS\system32\DWrite.dll
2010-11-12 00:38:37 ----A---- C:\WINDOWS\system32\d2d1.dll
2010-11-12 00:37:43 ----A---- C:\WINDOWS\system32\XpsRasterService.dll
2010-11-12 00:37:43 ----A---- C:\WINDOWS\system32\XpsGdiConverter.dll
2010-11-12 00:36:39 ----A---- C:\WINDOWS\system32\ExplorerFrame.dll
2010-11-12 00:34:42 ----D---- C:\Program Files\Feedback Tool
2010-11-11 23:53:17 ----D---- C:\ProgramData\JungleDisk
2010-11-11 23:53:13 ----A---- C:\WINDOWS\system32\CbFsNetRdr3.dll
2010-11-11 23:53:13 ----A---- C:\WINDOWS\system32\CbFsMntNtf3.dll
2010-11-11 23:53:12 ----A---- C:\WINDOWS\system32\drivers\cbfs3.sys
2010-11-11 23:53:08 ----D---- C:\Program Files\Jungle Disk Desktop
2010-11-11 19:19:26 ----D---- C:\Users\3878\AppData\Roaming\Malwarebytes
2010-11-11 19:19:15 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-11-11 19:19:12 ----D---- C:\ProgramData\Malwarebytes
2010-11-11 19:19:11 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-11-11 19:19:10 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-11-11 14:42:26 ----D---- C:\WINDOWS\Minidump
2010-11-11 14:40:13 ----A---- C:\WINDOWS\system32\wwanconn.dll
2010-11-11 13:00:58 ----A---- C:\WINDOWS\system32\drivers\iaStor.sys
2010-11-11 13:00:11 ----D---- C:\ProgramData\Intel
2010-11-11 12:58:16 ----D---- C:\Program Files\Cisco
2010-11-11 12:52:11 ----A---- C:\WINDOWS\system32\drivers\CHDRT32.sys
2010-11-11 12:51:48 ----A---- C:\WINDOWS\system32\PROUnstl.exe
2010-11-11 12:51:23 ----A---- C:\WINDOWS\system32\drivers\e1k6232.sys
2010-11-11 12:48:13 ----A---- C:\WINDOWS\system32\drivers\IntcDAud.sys
2010-11-11 12:48:13 ----A---- C:\WINDOWS\system32\drivers\Impcd.sys
2010-11-11 12:48:12 ----A---- C:\WINDOWS\system32\SETB379.tmp
2010-11-11 12:48:07 ----A---- C:\WINDOWS\system32\TVWSetup.exe
2010-11-11 12:48:06 ----A---- C:\WINDOWS\system32\igfxCoIn_v2202.dll
2010-11-11 12:48:05 ----A---- C:\WINDOWS\system32\SETA59D.tmp
2010-11-11 12:48:05 ----A---- C:\WINDOWS\system32\igfxtray.exe
2010-11-11 12:48:05 ----A---- C:\WINDOWS\system32\igfxTMM.dll
2010-11-11 12:48:03 ----A---- C:\WINDOWS\system32\SETCDCD.tmp
2010-11-11 12:48:03 ----A---- C:\WINDOWS\system32\igfxress.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\SETC3B7.tmp
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igfxpph.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igfxpers.exe
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igfxdo.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\IGFXDEVLib.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igdumdx32.dll
2010-11-11 12:48:01 ----A---- C:\WINDOWS\system32\igdumd32.dll
2010-11-11 12:48:00 ----A---- C:\WINDOWS\system32\drivers\igdkmd32.sys
2010-11-11 12:47:59 ----A---- C:\WINDOWS\system32\SETAF25.tmp
2010-11-11 12:47:59 ----A---- C:\WINDOWS\system32\ig4icd32.dll
2010-11-11 12:47:58 ----A---- C:\WINDOWS\system32\GfxUI.exe
2010-11-11 12:47:58 ----A---- C:\WINDOWS\system32\gfxSrvc.dll
2010-11-11 12:45:50 ----D---- C:\SWTOOLS
2010-11-11 12:08:09 ----SHD---- C:\Config.Msi
2010-11-11 11:27:05 ----D---- C:\WINDOWS\system32\appmgmt
2010-11-10 23:54:49 ----RASH---- C:\WINDOWS\system32\setvero.dll
2010-11-10 23:53:20 ----N---- C:\WINDOWS\system32\drivers\mcdbus.sys
2010-11-10 23:53:18 ----D---- C:\Program Files\MagicDisc
2010-11-10 23:33:55 ----N---- C:\WINDOWS\system32\ptdllrun1.exe

======List of files/folders modified in the last 1 months======

2010-11-29 22:55:58 ----AD---- C:\Program Files
2010-11-29 22:47:34 ----D---- C:\WINDOWS\system32\config
2010-11-29 22:43:18 ----D---- C:\WINDOWS\Temp
2010-11-29 22:35:46 ----A---- C:\WINDOWS\system32\log.txt
2010-11-29 22:34:47 ----A---- C:\WINDOWS\SMSCFG.INI
2010-11-29 22:33:43 ----AD---- C:\Windows
2010-11-24 11:33:37 ----D---- C:\Program Files\Quicken
2010-11-24 10:19:21 ----D---- C:\WINDOWS\inf
2010-11-24 10:19:21 ----AD---- C:\WINDOWS\System32
2010-11-24 10:19:21 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-11-24 03:13:29 ----D---- C:\WINDOWS\Microsoft.NET
2010-11-24 03:13:26 ----RSD---- C:\WINDOWS\assembly
2010-11-24 03:05:04 ----SHD---- C:\WINDOWS\Installer
2010-11-24 03:02:20 ----D---- C:\WINDOWS\system32\en-US
2010-11-24 03:01:48 ----D---- C:\Program Files\Microsoft.NET
2010-11-24 03:00:16 ----D---- C:\Program Files\Internet Explorer
2010-11-24 03:00:15 ----D---- C:\WINDOWS\winsxs
2010-11-23 21:28:42 ----D---- C:\WINDOWS\system32\catroot
2010-11-23 00:06:18 ----SHD---- C:\System Volume Information
2010-11-22 17:53:36 ----D---- C:\WINDOWS\Downloaded Program Files
2010-11-20 20:26:57 ----D---- C:\WINDOWS\system32\Tasks
2010-11-20 17:24:40 ----D---- C:\WINDOWS\system32\DriverStore
2010-11-20 17:24:40 ----D---- C:\WINDOWS\system32\drivers
2010-11-20 16:51:14 ----RSD---- C:\WINDOWS\Media
2010-11-20 16:47:36 ----D---- C:\WINDOWS\Downloaded Installations
2010-11-20 16:47:00 ----D---- C:\Program Files\Lenovo
2010-11-20 16:45:14 ----D---- C:\WINDOWS\Tasks
2010-11-20 16:44:59 ----AHD---- C:\ProgramData
2010-11-20 14:39:21 ----D---- C:\Program Files\Secure IT
2010-11-18 21:51:58 ----D---- C:\Users\3878\AppData\Roaming\Adobe
2010-11-18 20:46:21 ----D---- C:\WINDOWS\system32\catroot2
2010-11-18 03:41:41 ----D---- C:\WINDOWS\Prefetch
2010-11-18 01:23:05 ----D---- C:\Program Files\Adobe
2010-11-18 01:22:36 ----D---- C:\Program Files\Common Files
2010-11-18 01:20:57 ----D---- C:\ProgramData\Adobe
2010-11-18 01:20:47 ----D---- C:\Program Files\Common Files\Adobe
2010-11-18 01:11:35 ----RSD---- C:\WINDOWS\Fonts
2010-11-17 08:25:58 ----D---- C:\Program Files\Common Files\Apple
2010-11-16 08:44:58 ----D---- C:\WINDOWS\rescache
2010-11-15 23:03:45 ----D---- C:\WINDOWS\system32\migration
2010-11-15 23:03:45 ----D---- C:\WINDOWS\PolicyDefinitions
2010-11-12 10:57:16 ----A---- C:\WINDOWS\wininit.ini
2010-11-12 10:57:12 ----D---- C:\Program Files\Roxio
2010-11-12 10:56:07 ----D---- C:\Program Files\Common Files\InstallShield
2010-11-12 08:41:38 ----D---- C:\WINDOWS\debug
2010-11-12 00:34:39 ----D---- C:\WINDOWS\Logs
2010-11-11 20:10:09 ----D---- C:\WINDOWS\AppCompat
2010-11-11 12:58:04 ----D---- C:\Program Files\Common Files\Intel
2010-11-11 12:50:45 ----D---- C:\Program Files\Intel
2010-11-11 12:48:26 ----D---- C:\Intel
2010-11-11 12:45:21 ----D---- C:\ProgramData\Lenovo
2010-11-11 12:19:04 ----D---- C:\ProgramData\Win7codecs
2010-11-11 12:11:40 ----D---- C:\Program Files\Common Files\Roxio Shared
2010-11-11 12:08:40 ----D---- C:\Program Files\Common Files\Sonic Shared
2010-11-11 02:03:09 ----D---- C:\Program Files\FileZilla FTP Client
2010-11-10 23:29:44 ----HD---- C:\Program Files\InstallShield Installation Information
2010-11-10 23:29:04 ----D---- C:\Program Files\Bing Bar Installer
2010-11-10 23:29:00 ----D---- C:\Program Files\Microsoft
2010-11-10 12:49:27 ----SD---- C:\Users\3878\AppData\Roaming\Microsoft
2010-11-10 03:07:07 ----D---- C:\ProgramData\Microsoft Help
2010-11-04 07:55:07 ----D---- C:\WINDOWS\system32\NDF
2010-11-02 16:47:16 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 DozeHDD;DozeHDD; C:\WINDOWS\System32\DRIVERS\DozeHDD.sys [2010-08-25 24304]
R0 DRVMCDB;DRVMCDB; C:\WINDOWS\System32\Drivers\DRVMCDB.SYS [2007-03-12 99848]
R0 iaStor;Intel AHCI Controller; C:\WINDOWS\system32\DRIVERS\iaStor.sys [2010-03-03 435736]
R0 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2010-01-06 343920]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2008-04-08 44944]
R0 rdyboost;ReadyBoost; C:\WINDOWS\System32\drivers\rdyboost.sys [2009-07-13 173648]
R0 SafeBoot;SafeBoot; C:\WINDOWS\system32\drivers\SafeBoot.sys [2009-11-24 103760]
R0 SBAlg;SBAlg; C:\WINDOWS\system32\drivers\SBAlg.sys [2008-08-13 44976]
R0 SbFsLock;SbFsLock; C:\WINDOWS\system32\drivers\SbFsLock.sys [2009-11-24 6496]
R0 Shockprf;Shockprf; C:\WINDOWS\System32\DRIVERS\Apsx86.sys [2010-06-16 120432]
R0 TPDIGIMN;TPDIGIMN; C:\WINDOWS\System32\DRIVERS\ApsHM86.sys [2010-06-16 20592]
R1 cbfs3;cbfs3; \??\C:\WINDOWS\system32\drivers\cbfs3.sys [2010-06-09 267208]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\WINDOWS\system32\drivers\csc.sys [2009-07-13 387584]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2007-02-08 12856]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 lenovo.smi;Lenovo System Interface Driver; C:\WINDOWS\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 mfetdik;McAfee Inc. mfetdik; C:\WINDOWS\system32\drivers\mfetdik.sys [2010-01-06 64208]
R1 RsvLock;RsvLock; C:\WINDOWS\system32\drivers\RsvLock.sys [2009-11-24 33328]
R1 SbFlop;SbFlop; C:\WINDOWS\system32\drivers\SbFlop.sys [2009-11-24 34480]
R1 SbRegFlt;SbRegFlt; C:\WINDOWS\system32\drivers\SbRegFlt.sys [2009-11-24 14664]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwr32v.sys [2010-08-25 11552]
R1 vwififlt;Virtual WiFi Filter Driver; C:\WINDOWS\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2007-06-18 35064]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2007-06-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2007-06-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2007-06-18 105048]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2007-06-18 26744]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2007-06-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2007-06-18 98136]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2007-06-18 93752]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R2 smihlp2;SMI Helper Driver (smihlp2); \??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
R3 5U877;USB Video Device; C:\WINDOWS\system32\DRIVERS\5U877.sys [2009-12-14 127232]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDRT32.sys [2010-08-26 486016]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K; C:\WINDOWS\system32\DRIVERS\e1k6232.sys [2010-07-22 215208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2009-09-17 41088]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2009-11-18 26608]
R3 igfx;igfx; C:\WINDOWS\system32\DRIVERS\igdkmd32.sys [2010-08-26 9024512]
R3 Impcd;Impcd; C:\WINDOWS\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
R3 IntcDAud;Intel® Display Audio; C:\WINDOWS\system32\DRIVERS\IntcDAud.sys [2010-08-30 247808]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 mfeapfk;McAfee Inc. mfeapfk; C:\WINDOWS\system32\drivers\mfeapfk.sys [2010-01-06 75704]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2010-01-06 91832]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2010-01-06 43288]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit; C:\WINDOWS\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-18 21376]
R3 RDPDR;Terminal Server Device Redirector Driver; C:\WINDOWS\System32\drivers\rdpdr.sys [2009-07-13 133120]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2010-04-22 244784]
R3 TPM;TPM; C:\WINDOWS\system32\drivers\tpm.sys [2009-07-13 30720]
R3 urvpndrv;F5 Networks VPN Adapter; C:\WINDOWS\system32\DRIVERS\covpnwlh.sys [2009-10-09 34944]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service; C:\WINDOWS\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S2 Parvdm;Parvdm; C:\WINDOWS\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 aic78xx;aic78xx; C:\WINDOWS\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\WINDOWS\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 E1G60;Intel® PRO/1000 NDIS 6 Adapter Driver; C:\WINDOWS\system32\DRIVERS\E1G60I32.sys [2009-07-13 118784]
S3 f5ipfw;F5 Networks StoneWall Filter; \??\C:\WINDOWS\system32\drivers\urfltwlh.sys [2009-10-09 13952]
S3 HTCAND32;HTC Device Driver; C:\WINDOWS\System32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 mferkdet;McAfee Inc. mferkdet; C:\WINDOWS\system32\drivers\mferkdet.sys [2010-01-06 66600]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw5s32.sys [2010-03-17 6758912]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver; C:\WINDOWS\system32\DRIVERS\nusb3hub.sys [2009-11-20 58880]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver; C:\WINDOWS\system32\DRIVERS\nusb3xhc.sys [2009-11-20 137728]
S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver; \??\c:\program files\pc-doctor\pcdsrvc.pkms [2010-09-08 21360]
S3 pciide;pciide; C:\WINDOWS\system32\DRIVERS\pciide.sys [2009-07-13 12368]
S3 prepdrvr;SMS Process Event Driver; \??\C:\Windows\system32\CCM\prepdrv.sys [2009-09-18 20848]
S3 rimspci;rimspci; C:\WINDOWS\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
S3 rixdpcie;rixdpcie; C:\WINDOWS\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
S3 s3cap;s3cap; C:\WINDOWS\system32\DRIVERS\vms3cap.sys [2009-07-13 5632]
S3 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 storvsc;storvsc; C:\WINDOWS\system32\DRIVERS\storvsc.sys [2009-07-13 28224]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2010-09-28 41984]
S3 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\WINDOWS\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\WINDOWS\system32\DRIVERS\vmbus.sys [2009-07-13 175824]
S3 VMBusHID;VMBusHID; C:\WINDOWS\system32\DRIVERS\VMBusHID.sys [2009-07-13 17920]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcPrfMgrSvc;AcPrfMgrSvc; C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe [2010-09-17 124264]
R2 AcSvc;AcSvc; C:\Program Files\Lenovo\Access Connections\AcSvc.exe [2010-09-17 259432]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-10-16 37664]
R2 atashost;WebEx Service Host for Support Center; C:\WINDOWS\system32\atashost.exe [2010-08-06 20360]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-07-27 345376]
R2 btwdins;Bluetooth Service; C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe [2009-10-02 595232]
R2 CcmExec;SMS Agent Host; C:\Windows\system32\CCM\CcmExec.exe [2009-09-18 764768]
R2 CISVC;@%systemroot%\system32\CISVC.EXE,-1; C:\WINDOWS\system32\CISVC.EXE [2009-07-13 20480]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2010-07-19 866576]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2009-11-18 38248]
R2 iPassPeriodicUpdateService;iPassPeriodicUpdateService; C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe [2009-11-25 114688]
R2 JungleDiskService;JungleDiskService; C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe [2010-09-24 7199232]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute; C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction; C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
R2 LMS;Intel® Management and Security Application Local Management Service; C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe [2010-05-03 325656]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics; C:\Program Files\Lotus\Notes\nsd.exe [2008-12-06 3315080]
R2 Lotus Notes Single Logon;Lotus Notes Single Logon; C:\Program Files\Lotus\Notes\nslsvice.exe [2008-12-06 31624]
R2 McAfeeEngineService;McAfee Engine Service; C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [2010-01-06 22816]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2010-06-01 120128]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2010-01-06 147472]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2010-01-06 66896]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 mfevtp;McAfee Validation Trust Protection Service; C:\WINDOWS\system32\mfevtps.exe [2010-01-06 70728]
R2 Multi-user Cleanup Service;Multi-user Cleanup Service; C:\Program Files\Lotus\Notes\ntmulti.exe [2008-12-06 58760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service; C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-10-01 632792]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2010-07-19 477456]
R2 SafeBootClientManager;SafeBoot Client Manager; C:\Program Files\safeboot\SbClientManager.exe [2009-11-24 380988]
R2 SUService;System Update; C:\Program Files\Lenovo\System Update\SUService.exe [2009-10-19 28672]
R2 TPHKSVC;On Screen Display; C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]
R2 UNS;Intel® Management & Security Application User Notification Service; C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-05-03 2533400]
R3 iPassPeriodicUpdateApp;iPassPeriodicUpdateApp; C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe [2009-11-25 167936]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-11-11 820008]
R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 AppMgmt;@appmgmts.dll,-3250; C:\WINDOWS\system32\svchost.exe [2009-07-13 20992]
S3 DozeSvc;Lenovo Doze Mode Service; C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE [2010-08-25 132456]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-11-18 655624]
S3 iPassConnectEngine;iPassConnectEngine; C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe [2009-11-25 1740800]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
S3 Power Manager DBC Service;Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-08-25 75112]
S3 smstsmgr;SMS Task Sequence Agent; C:\Windows\system32\CCM\TSManager.exe [2009-09-18 246624]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
S3 TPHDEXLGSVC;ThinkPad HDD APS Logging Service; C:\WINDOWS\System32\TPHDEXLG.exe [2010-06-16 40048]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\WINDOWS\system32\Wat\WatAdminSvc.exe [2010-07-16 1343400]

-----------------EOF-----------------
Logfile of random's system information tool 1.08 (written by random/random)
Run by 3878 at 2010-11-29 22:55:58
Microsoft Windows 7 Enterprise
System drive C: has 163 GB (69%) free of 238 GB
Total RAM: 2996 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:56:39 PM, on 11/29/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\WINDOWS\system32\taskhost.exe
C:\WINDOWS\system32\Dwm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Lenovo\Access Connections\ACTray.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\safeboot\SbTokWatch.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MindMovies\Subliminal\SubVid.exe
C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Users\3878\Desktop\RSIT.exe
C:\Program Files\trend micro\3878.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lawson.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itv-f1.com/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lawson.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lawson.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pvs02.peacehealth.org:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [AcWin7Hlpr] C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\Lenovo\Access Connections\ACTray.exe
O4 - HKLM\..\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
O4 - HKLM\..\Run: [SafeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"
O4 - HKLM\..\Run: [SafeBootTokenWatcher] "C:\Program Files\safeboot\SbTokWatch.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [RotateImage] C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SubVid] "C:\Program Files\MindMovies\Subliminal\SubVid.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Jungle Disk Desktop.lnk = C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.us.lawson.com/vdesk/terminal/urxvpn.cab#version=6031,2009,1010,313
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://vpn.us.lawson.com/vdesk/terminal/f5tunsrv.cab#version=6031,2009,1010,310
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vpn.us.lawson.com/vdesk/terminal/InstallerControl.cab#version=6031,2009,1010,0312
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.us.lawson.com/vdesk/terminal/urxshost.cab#version=6031,2009,1010,308
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lawsonsupport.webex.com/client/T26L/support/ieatgpc1.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.us.lawson.com/vdesk/terminal/urxhost.cab#version=6031,2009,1010,304
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corpnet.lawson.com
O17 - HKLM\Software\..\Telephony: DomainName = corpnet.lawson.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corpnet.lawson.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corpnet.lawson.com
O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll
O22 - SharedTaskScheduler: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll
O23 - Service: AcPrfMgrSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
O23 - Service: AcSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\WINDOWS\system32\atashost.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JungleDiskService - Jungle Disk, Inc. - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Lenovo Keyboard Noise Reduction (LENOVO.TPKNRSVC) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
O23 - Service: Lenovo Auto Scroll (Lenovo.VIRTSCRLSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: Lotus Notes Diagnostics - IBM - C:\Program Files\Lotus\Notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\Lotus\Notes\nslsvice.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - McAfee, Inc. - C:\Program Files\safeboot\SbClientManager.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

--
End of file - 14336 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\ONXQ.job
C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
C:\WINDOWS\tasks\RMSchedule.job
C:\WINDOWS\tasks\SystemToolsDailyTest.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FF49FE8-B332-4CB9-B102-FB6951629E55}]
Virtual Storage Mount Notification - C:\WINDOWS\system32\CbFsMntNtf3.dll [2010-06-09 155416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll [2010-01-06 67120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-10 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2010-01-06 124240]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2010-04-22 1725736]
"ConnectionCenter"=C:\Program Files\Citrix\ICA Client\concentr.exe [2009-09-12 103768]
""= []
"TpShocks"=C:\WINDOWS\system32\TpShocks.exe [2010-07-01 337256]
"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2010-07-27 69560]
"PWMTRV"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor []
"AcWin7Hlpr"=C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe [2010-09-17 31592]
"ACTray"=C:\Program Files\Lenovo\Access Connections\ACTray.exe [2010-09-17 431464]
"LENOVO.TPKNRRES"=C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [2010-07-27 62312]
"SafeBootTrayManager"=C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe [2009-08-19 69632]
"SafeBootTokenWatcher"=C:\Program Files\safeboot\SbTokWatch.exe [2009-11-24 172092]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\udaterui.exe [2010-06-01 140608]
"SmartAudio"=C:\Program Files\CONEXANT\SAII\SAIICpl.exe [2009-11-16 307768]
"IMSS"=C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [2010-05-03 112152]
"RotateImage"=C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe [2008-10-30 31744]
"Mobile Connectivity Suite"=C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe [2009-11-19 598016]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2010-09-04 136216]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2009-12-31 175640]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2010-09-04 170520]
"SSDMonitor"=C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe [2010-09-16 104408]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-11-11 421160]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-07-13 1173504]
"SubVid"=C:\Program Files\MindMovies\Subliminal\SubVid.exe [2008-09-16 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2010-11-11 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe [2010-04-02 55048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
C:\PROGRA~1\ThinkPad\BLUETO~1\BTTray.exe [2009-10-02 795936]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Jungle Disk Desktop.lnk - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe

C:\Users\3878\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2010-08-26 228864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll [2010-04-02 100104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll [2010-06-09 155416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll [2010-06-09 155416]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=SbNp
scecli
C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll
ACGina

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\atashost]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=1
"legalnoticecaption"=WARNING NOTICE:
"legalnoticetext"=You are about to enter a Private Network that is intended for the authorized use of Lawson Software, Inc., its affiliate companies (the Company), and users authorized by the Company for business purposes only (Code of Conduct can be located by following this link: http://www.lawson.com/wcw.nsf/pub/IR_21905C) The actual or attempted unauthorized access, use, or modification of this network is strictly prohibited by the Company. Unauthorized users and/or unauthorized
use are subject to Company disciplinary proceedings and/or civil penalties in accordance with applicable domestic and foreign laws. Where authorized by law, the use of this system may be monitored and recorded for administrative and security reasons. If such monitoring and/or recording reveals possible evidence of criminal activity, the Company may provide the monitored evidence of such activity to law enforcement officials.
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"DisallowCpl"=2
"HideSCAHealth"=1
"NoDriveTypeAutoRun"=145
"NoWindowsUpdate"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-11-29 22:55:58 ----D---- C:\rsit
2010-11-29 22:55:58 ----D---- C:\Program Files\trend micro
2010-11-21 19:02:24 ----D---- C:\Program Files\Mozilla Firefox 4.0 Beta 7
2010-11-20 17:24:16 ----A---- C:\WINDOWS\system32\drivers\usbhub.sys
2010-11-20 17:24:16 ----A---- C:\WINDOWS\system32\drivers\usbehci.sys
2010-11-20 16:44:59 ----D---- C:\ProgramData\PCDr
2010-11-20 16:44:59 ----D---- C:\ProgramData\PC-Doctor for Windows
2010-11-20 16:44:12 ----D---- C:\Program Files\PC-Doctor
2010-11-20 16:27:24 ----A---- C:\sfcdetails.txt
2010-11-18 21:50:46 ----D---- C:\ProgramData\FLEXnet
2010-11-18 01:22:36 ----D---- C:\Program Files\Common Files\PX Storage Engine
2010-11-18 01:15:35 ----D---- C:\Program Files\Adobe Media Player
2010-11-18 01:13:36 ----D---- C:\Program Files\Common Files\Adobe AIR
2010-11-18 01:09:35 ----D---- C:\Program Files\uTorrent
2010-11-18 01:08:10 ----D---- C:\Users\3878\AppData\Roaming\uTorrent
2010-11-18 01:04:51 ----D---- C:\Program Files\Common Files\Macrovision Shared
2010-11-17 08:25:59 ----D---- C:\Program Files\iPod
2010-11-17 08:25:58 ----D---- C:\Program Files\iTunes
2010-11-12 08:44:48 ----D---- C:\Users\3878\AppData\Roaming\Registry Mechanic
2010-11-12 08:30:47 ----D---- C:\ProgramData\PC Tools
2010-11-12 08:30:42 ----A---- C:\WINDOWS\system32\msxml.dll
2010-11-12 08:30:42 ----A---- C:\WINDOWS\system32\CleanMFT32.exe
2010-11-12 08:30:21 ----D---- C:\Program Files\Common Files\PC Tools
2010-11-12 08:30:19 ----D---- C:\Program Files\Registry Mechanic
2010-11-12 08:30:19 ----AD---- C:\ProgramData\TEMP
2010-11-12 00:39:35 ----A---- C:\WINDOWS\system32\mfreadwrite.dll
2010-11-12 00:39:35 ----A---- C:\WINDOWS\system32\mf.dll
2010-11-12 00:39:34 ----A---- C:\WINDOWS\system32\WMVDECOD.DLL
2010-11-12 00:38:38 ----A---- C:\WINDOWS\system32\FntCache.dll
2010-11-12 00:38:38 ----A---- C:\WINDOWS\system32\d3d10warp.dll
2010-11-12 00:38:38 ----A---- C:\WINDOWS\system32\d3d10_1core.dll
2010-11-12 00:38:37 ----A---- C:\WINDOWS\system32\DWrite.dll
2010-11-12 00:38:37 ----A---- C:\WINDOWS\system32\d2d1.dll
2010-11-12 00:37:43 ----A---- C:\WINDOWS\system32\XpsRasterService.dll
2010-11-12 00:37:43 ----A---- C:\WINDOWS\system32\XpsGdiConverter.dll
2010-11-12 00:36:39 ----A---- C:\WINDOWS\system32\ExplorerFrame.dll
2010-11-12 00:34:42 ----D---- C:\Program Files\Feedback Tool
2010-11-11 23:53:17 ----D---- C:\ProgramData\JungleDisk
2010-11-11 23:53:13 ----A---- C:\WINDOWS\system32\CbFsNetRdr3.dll
2010-11-11 23:53:13 ----A---- C:\WINDOWS\system32\CbFsMntNtf3.dll
2010-11-11 23:53:12 ----A---- C:\WINDOWS\system32\drivers\cbfs3.sys
2010-11-11 23:53:08 ----D---- C:\Program Files\Jungle Disk Desktop
2010-11-11 19:19:26 ----D---- C:\Users\3878\AppData\Roaming\Malwarebytes
2010-11-11 19:19:15 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-11-11 19:19:12 ----D---- C:\ProgramData\Malwarebytes
2010-11-11 19:19:11 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-11-11 19:19:10 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-11-11 14:42:26 ----D---- C:\WINDOWS\Minidump
2010-11-11 14:40:13 ----A---- C:\WINDOWS\system32\wwanconn.dll
2010-11-11 13:00:58 ----A---- C:\WINDOWS\system32\drivers\iaStor.sys
2010-11-11 13:00:11 ----D---- C:\ProgramData\Intel
2010-11-11 12:58:16 ----D---- C:\Program Files\Cisco
2010-11-11 12:52:11 ----A---- C:\WINDOWS\system32\drivers\CHDRT32.sys
2010-11-11 12:51:48 ----A---- C:\WINDOWS\system32\PROUnstl.exe
2010-11-11 12:51:23 ----A---- C:\WINDOWS\system32\drivers\e1k6232.sys
2010-11-11 12:48:13 ----A---- C:\WINDOWS\system32\drivers\IntcDAud.sys
2010-11-11 12:48:13 ----A---- C:\WINDOWS\system32\drivers\Impcd.sys
2010-11-11 12:48:12 ----A---- C:\WINDOWS\system32\SETB379.tmp
2010-11-11 12:48:07 ----A---- C:\WINDOWS\system32\TVWSetup.exe
2010-11-11 12:48:06 ----A---- C:\WINDOWS\system32\igfxCoIn_v2202.dll
2010-11-11 12:48:05 ----A---- C:\WINDOWS\system32\SETA59D.tmp
2010-11-11 12:48:05 ----A---- C:\WINDOWS\system32\igfxtray.exe
2010-11-11 12:48:05 ----A---- C:\WINDOWS\system32\igfxTMM.dll
2010-11-11 12:48:03 ----A---- C:\WINDOWS\system32\SETCDCD.tmp
2010-11-11 12:48:03 ----A---- C:\WINDOWS\system32\igfxress.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\SETC3B7.tmp
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igfxpph.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igfxpers.exe
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igfxdo.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\IGFXDEVLib.dll
2010-11-11 12:48:02 ----A---- C:\WINDOWS\system32\igdumdx32.dll
2010-11-11 12:48:01 ----A---- C:\WINDOWS\system32\igdumd32.dll
2010-11-11 12:48:00 ----A---- C:\WINDOWS\system32\drivers\igdkmd32.sys
2010-11-11 12:47:59 ----A---- C:\WINDOWS\system32\SETAF25.tmp
2010-11-11 12:47:59 ----A---- C:\WINDOWS\system32\ig4icd32.dll
2010-11-11 12:47:58 ----A---- C:\WINDOWS\system32\GfxUI.exe
2010-11-11 12:47:58 ----A---- C:\WINDOWS\system32\gfxSrvc.dll
2010-11-11 12:45:50 ----D---- C:\SWTOOLS
2010-11-11 12:08:09 ----SHD---- C:\Config.Msi
2010-11-11 11:27:05 ----D---- C:\WINDOWS\system32\appmgmt
2010-11-10 23:54:49 ----RASH---- C:\WINDOWS\system32\setvero.dll
2010-11-10 23:53:20 ----N---- C:\WINDOWS\system32\drivers\mcdbus.sys
2010-11-10 23:53:18 ----D---- C:\Program Files\MagicDisc
2010-11-10 23:33:55 ----N---- C:\WINDOWS\system32\ptdllrun1.exe

======List of files/folders modified in the last 1 months======

2010-11-29 22:55:58 ----AD---- C:\Program Files
2010-11-29 22:47:34 ----D---- C:\WINDOWS\system32\config
2010-11-29 22:43:18 ----D---- C:\WINDOWS\Temp
2010-11-29 22:35:46 ----A---- C:\WINDOWS\system32\log.txt
2010-11-29 22:34:47 ----A---- C:\WINDOWS\SMSCFG.INI
2010-11-29 22:33:43 ----AD---- C:\Windows
2010-11-24 11:33:37 ----D---- C:\Program Files\Quicken
2010-11-24 10:19:21 ----D---- C:\WINDOWS\inf
2010-11-24 10:19:21 ----AD---- C:\WINDOWS\System32
2010-11-24 10:19:21 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-11-24 03:13:29 ----D---- C:\WINDOWS\Microsoft.NET
2010-11-24 03:13:26 ----RSD---- C:\WINDOWS\assembly
2010-11-24 03:05:04 ----SHD---- C:\WINDOWS\Installer
2010-11-24 03:02:20 ----D---- C:\WINDOWS\system32\en-US
2010-11-24 03:01:48 ----D---- C:\Program Files\Microsoft.NET
2010-11-24 03:00:16 ----D---- C:\Program Files\Internet Explorer
2010-11-24 03:00:15 ----D---- C:\WINDOWS\winsxs
2010-11-23 21:28:42 ----D---- C:\WINDOWS\system32\catroot
2010-11-23 00:06:18 ----SHD---- C:\System Volume Information
2010-11-22 17:53:36 ----D---- C:\WINDOWS\Downloaded Program Files
2010-11-20 20:26:57 ----D---- C:\WINDOWS\system32\Tasks
2010-11-20 17:24:40 ----D---- C:\WINDOWS\system32\DriverStore
2010-11-20 17:24:40 ----D---- C:\WINDOWS\system32\drivers
2010-11-20 16:51:14 ----RSD---- C:\WINDOWS\Media
2010-11-20 16:47:36 ----D---- C:\WINDOWS\Downloaded Installations
2010-11-20 16:47:00 ----D---- C:\Program Files\Lenovo
2010-11-20 16:45:14 ----D---- C:\WINDOWS\Tasks
2010-11-20 16:44:59 ----AHD---- C:\ProgramData
2010-11-20 14:39:21 ----D---- C:\Program Files\Secure IT
2010-11-18 21:51:58 ----D---- C:\Users\3878\AppData\Roaming\Adobe
2010-11-18 20:46:21 ----D---- C:\WINDOWS\system32\catroot2
2010-11-18 03:41:41 ----D---- C:\WINDOWS\Prefetch
2010-11-18 01:23:05 ----D---- C:\Program Files\Adobe
2010-11-18 01:22:36 ----D---- C:\Program Files\Common Files
2010-11-18 01:20:57 ----D---- C:\ProgramData\Adobe
2010-11-18 01:20:47 ----D---- C:\Program Files\Common Files\Adobe
2010-11-18 01:11:35 ----RSD---- C:\WINDOWS\Fonts
2010-11-17 08:25:58 ----D---- C:\Program Files\Common Files\Apple
2010-11-16 08:44:58 ----D---- C:\WINDOWS\rescache
2010-11-15 23:03:45 ----D---- C:\WINDOWS\system32\migration
2010-11-15 23:03:45 ----D---- C:\WINDOWS\PolicyDefinitions
2010-11-12 10:57:16 ----A---- C:\WINDOWS\wininit.ini
2010-11-12 10:57:12 ----D---- C:\Program Files\Roxio
2010-11-12 10:56:07 ----D---- C:\Program Files\Common Files\InstallShield
2010-11-12 08:41:38 ----D---- C:\WINDOWS\debug
2010-11-12 00:34:39 ----D---- C:\WINDOWS\Logs
2010-11-11 20:10:09 ----D---- C:\WINDOWS\AppCompat
2010-11-11 12:58:04 ----D---- C:\Program Files\Common Files\Intel
2010-11-11 12:50:45 ----D---- C:\Program Files\Intel
2010-11-11 12:48:26 ----D---- C:\Intel
2010-11-11 12:45:21 ----D---- C:\ProgramData\Lenovo
2010-11-11 12:19:04 ----D---- C:\ProgramData\Win7codecs
2010-11-11 12:11:40 ----D---- C:\Program Files\Common Files\Roxio Shared
2010-11-11 12:08:40 ----D---- C:\Program Files\Common Files\Sonic Shared
2010-11-11 02:03:09 ----D---- C:\Program Files\FileZilla FTP Client
2010-11-10 23:29:44 ----HD---- C:\Program Files\InstallShield Installation Information
2010-11-10 23:29:04 ----D---- C:\Program Files\Bing Bar Installer
2010-11-10 23:29:00 ----D---- C:\Program Files\Microsoft
2010-11-10 12:49:27 ----SD---- C:\Users\3878\AppData\Roaming\Microsoft
2010-11-10 03:07:07 ----D---- C:\ProgramData\Microsoft Help
2010-11-04 07:55:07 ----D---- C:\WINDOWS\system32\NDF
2010-11-02 16:47:16 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 DozeHDD;DozeHDD; C:\WINDOWS\System32\DRIVERS\DozeHDD.sys [2010-08-25 24304]
R0 DRVMCDB;DRVMCDB; C:\WINDOWS\System32\Drivers\DRVMCDB.SYS [2007-03-12 99848]
R0 iaStor;Intel AHCI Controller; C:\WINDOWS\system32\DRIVERS\iaStor.sys [2010-03-03 435736]
R0 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2010-01-06 343920]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2008-04-08 44944]
R0 rdyboost;ReadyBoost; C:\WINDOWS\System32\drivers\rdyboost.sys [2009-07-13 173648]
R0 SafeBoot;SafeBoot; C:\WINDOWS\system32\drivers\SafeBoot.sys [2009-11-24 103760]
R0 SBAlg;SBAlg; C:\WINDOWS\system32\drivers\SBAlg.sys [2008-08-13 44976]
R0 SbFsLock;SbFsLock; C:\WINDOWS\system32\drivers\SbFsLock.sys [2009-11-24 6496]
R0 Shockprf;Shockprf; C:\WINDOWS\System32\DRIVERS\Apsx86.sys [2010-06-16 120432]
R0 TPDIGIMN;TPDIGIMN; C:\WINDOWS\System32\DRIVERS\ApsHM86.sys [2010-06-16 20592]
R1 cbfs3;cbfs3; \??\C:\WINDOWS\system32\drivers\cbfs3.sys [2010-06-09 267208]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\WINDOWS\system32\drivers\csc.sys [2009-07-13 387584]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2007-02-08 12856]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 lenovo.smi;Lenovo System Interface Driver; C:\WINDOWS\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 mfetdik;McAfee Inc. mfetdik; C:\WINDOWS\system32\drivers\mfetdik.sys [2010-01-06 64208]
R1 RsvLock;RsvLock; C:\WINDOWS\system32\drivers\RsvLock.sys [2009-11-24 33328]
R1 SbFlop;SbFlop; C:\WINDOWS\system32\drivers\SbFlop.sys [2009-11-24 34480]
R1 SbRegFlt;SbRegFlt; C:\WINDOWS\system32\drivers\SbRegFlt.sys [2009-11-24 14664]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwr32v.sys [2010-08-25 11552]
R1 vwififlt;Virtual WiFi Filter Driver; C:\WINDOWS\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2007-06-18 35064]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2007-06-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2007-06-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2007-06-18 105048]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2007-06-18 26744]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2007-06-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2007-06-18 98136]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2007-06-18 93752]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R2 smihlp2;SMI Helper Driver (smihlp2); \??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
R3 5U877;USB Video Device; C:\WINDOWS\system32\DRIVERS\5U877.sys [2009-12-14 127232]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDRT32.sys [2010-08-26 486016]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K; C:\WINDOWS\system32\DRIVERS\e1k6232.sys [2010-07-22 215208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2009-09-17 41088]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2009-11-18 26608]
R3 igfx;igfx; C:\WINDOWS\system32\DRIVERS\igdkmd32.sys [2010-08-26 9024512]
R3 Impcd;Impcd; C:\WINDOWS\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
R3 IntcDAud;Intel® Display Audio; C:\WINDOWS\system32\DRIVERS\IntcDAud.sys [2010-08-30 247808]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 mfeapfk;McAfee Inc. mfeapfk; C:\WINDOWS\system32\drivers\mfeapfk.sys [2010-01-06 75704]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2010-01-06 91832]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2010-01-06 43288]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit; C:\WINDOWS\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-18 21376]
R3 RDPDR;Terminal Server Device Redirector Driver; C:\WINDOWS\System32\drivers\rdpdr.sys [2009-07-13 133120]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2010-04-22 244784]
R3 TPM;TPM; C:\WINDOWS\system32\drivers\tpm.sys [2009-07-13 30720]
R3 urvpndrv;F5 Networks VPN Adapter; C:\WINDOWS\system32\DRIVERS\covpnwlh.sys [2009-10-09 34944]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service; C:\WINDOWS\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S2 Parvdm;Parvdm; C:\WINDOWS\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 aic78xx;aic78xx; C:\WINDOWS\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\WINDOWS\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 E1G60;Intel® PRO/1000 NDIS 6 Adapter Driver; C:\WINDOWS\system32\DRIVERS\E1G60I32.sys [2009-07-13 118784]
S3 f5ipfw;F5 Networks StoneWall Filter; \??\C:\WINDOWS\system32\drivers\urfltwlh.sys [2009-10-09 13952]
S3 HTCAND32;HTC Device Driver; C:\WINDOWS\System32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 mferkdet;McAfee Inc. mferkdet; C:\WINDOWS\system32\drivers\mferkdet.sys [2010-01-06 66600]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw5s32.sys [2010-03-17 6758912]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver; C:\WINDOWS\system32\DRIVERS\nusb3hub.sys [2009-11-20 58880]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver; C:\WINDOWS\system32\DRIVERS\nusb3xhc.sys [2009-11-20 137728]
S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver; \??\c:\program files\pc-doctor\pcdsrvc.pkms [2010-09-08 21360]
S3 pciide;pciide; C:\WINDOWS\system32\DRIVERS\pciide.sys [2009-07-13 12368]
S3 prepdrvr;SMS Process Event Driver; \??\C:\Windows\system32\CCM\prepdrv.sys [2009-09-18 20848]
S3 rimspci;rimspci; C:\WINDOWS\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
S3 rixdpcie;rixdpcie; C:\WINDOWS\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
S3 s3cap;s3cap; C:\WINDOWS\system32\DRIVERS\vms3cap.sys [2009-07-13 5632]
S3 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 storvsc;storvsc; C:\WINDOWS\system32\DRIVERS\storvsc.sys [2009-07-13 28224]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2010-09-28 41984]
S3 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\WINDOWS\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\WINDOWS\system32\DRIVERS\vmbus.sys [2009-07-13 175824]
S3 VMBusHID;VMBusHID; C:\WINDOWS\system32\DRIVERS\VMBusHID.sys [2009-07-13 17920]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcPrfMgrSvc;AcPrfMgrSvc; C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe [2010-09-17 124264]
R2 AcSvc;AcSvc; C:\Program Files\Lenovo\Access Connections\AcSvc.exe [2010-09-17 259432]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-10-16 37664]
R2 atashost;WebEx Service Host for Support Center; C:\WINDOWS\system32\atashost.exe [2010-08-06 20360]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-07-27 345376]
R2 btwdins;Bluetooth Service; C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe [2009-10-02 595232]
R2 CcmExec;SMS Agent Host; C:\Windows\system32\CCM\CcmExec.exe [2009-09-18 764768]
R2 CISVC;@%systemroot%\system32\CISVC.EXE,-1; C:\WINDOWS\system32\CISVC.EXE [2009-07-13 20480]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2010-07-19 866576]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2009-11-18 38248]
R2 iPassPeriodicUpdateService;iPassPeriodicUpdateService; C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe [2009-11-25 114688]
R2 JungleDiskService;JungleDiskService; C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe [2010-09-24 7199232]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute; C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction; C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
R2 LMS;Intel® Management and Security Application Local Management Service; C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe [2010-05-03 325656]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics; C:\Program Files\Lotus\Notes\nsd.exe [2008-12-06 3315080]
R2 Lotus Notes Single Logon;Lotus Notes Single Logon; C:\Program Files\Lotus\Notes\nslsvice.exe [2008-12-06 31624]
R2 McAfeeEngineService;McAfee Engine Service; C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [2010-01-06 22816]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2010-06-01 120128]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2010-01-06 147472]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2010-01-06 66896]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 mfevtp;McAfee Validation Trust Protection Service; C:\WINDOWS\system32\mfevtps.exe [2010-01-06 70728]
R2 Multi-user Cleanup Service;Multi-user Cleanup Service; C:\Program Files\Lotus\Notes\ntmulti.exe [2008-12-06 58760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service; C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-10-01 632792]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2010-07-19 477456]
R2 SafeBootClientManager;SafeBoot Client Manager; C:\Program Files\safeboot\SbClientManager.exe [2009-11-24 380988]
R2 SUService;System Update; C:\Program Files\Lenovo\System Update\SUService.exe [2009-10-19 28672]
R2 TPHKSVC;On Screen Display; C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]
R2 UNS;Intel® Management & Security Application User Notification Service; C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-05-03 2533400]
R3 iPassPeriodicUpdateApp;iPassPeriodicUpdateApp; C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe [2009-11-25 167936]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-11-11 820008]
R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 AppMgmt;@appmgmts.dll,-3250; C:\WINDOWS\system32\svchost.exe [2009-07-13 20992]
S3 DozeSvc;Lenovo Doze Mode Service; C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE [2010-08-25 132456]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-11-18 655624]
S3 iPassConnectEngine;iPassConnectEngine; C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe [2009-11-25 1740800]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
S3 Power Manager DBC Service;Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-08-25 75112]
S3 smstsmgr;SMS Task Sequence Agent; C:\Windows\system32\CCM\TSManager.exe [2009-09-18 246624]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\WINDOWS\System32\svchost.exe [2009-07-13 20992]
S3 TPHDEXLGSVC;ThinkPad HDD APS Logging Service; C:\WINDOWS\System32\TPHDEXLG.exe [2010-06-16 40048]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\WINDOWS\system32\Wat\WatAdminSvc.exe [2010-07-16 1343400]

-----------------EOF-----------------

#6 Klamis

Klamis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 30 November 2010 - 12:20 AM

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-29 23:16:23
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.PS11
Running: gmer.exe; Driver: C:\Users\3878\AppData\Local\Temp\fwtyrfog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x8B59D68A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8B59D5E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8B59D5FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8B59D612]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8B59D6C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8B59D64E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8B59D69E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x8B59D676]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x8B59D662]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8B59D63A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8B59D626]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B59D6F7]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8B59D6DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8B59D6B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82A67148 5 Bytes JMP 8B59D6B8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A7F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 82C35D3B 5 Bytes JMP 8B59D652 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82C86F0E 5 Bytes JMP 8B59D68E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82C89495 5 Bytes JMP 8B59D62A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 82C91E6C 5 Bytes JMP 8B59D616 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82C9DBCD 5 Bytes JMP 8B59D6FB \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82CB7D6C 5 Bytes JMP 8B59D6E2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 82CBAF67 7 Bytes JMP 8B59D6CC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82CBBCD1 7 Bytes JMP 8B59D6A2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 82CD1FE5 5 Bytes JMP 8B59D666 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 82CD9152 5 Bytes JMP 8B59D67A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 82D16E61 5 Bytes JMP 8B59D5EC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D16EAC 3 Bytes JMP 8B59D600 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx + 4 82D16EB0 3 Bytes [08, 90, 90]
PAGE ntkrnlpa.exe!ZwSetContextThread 82D17D6F 5 Bytes JMP 8B59D63E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? C:\WINDOWS\System32\Drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 001600BA
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00160F62
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 001600F7
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00160FCA
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 0016009F
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00160F9B
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 0016007D
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 0016006C
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00160FEF
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00160112
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00160036
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00160051
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 0016000A
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 001600CB
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00160025
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 001600E6
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 0016008E
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_open 761D7E48 5 Bytes JMP 0014000C
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00140F9C
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!system 7620B16F 5 Bytes JMP 00140FB7
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00140FD2
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00140027
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00140FEF
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00150FEF
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00150FB9
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00150F8D
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00150F9E
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00150000
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00150F72
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00150025
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00150FCA
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00AE0F8D
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00AE0104
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00AE00F3
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00AE0039
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00AE00B6
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00AE0FA8
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00AE0076
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00AE0FB9
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00AE0FDE
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00AE0F54
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00AE004A
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00AE005B
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00AE00D1
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00AE0014
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00AE00E2
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00AE00A5
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_open 761D7E48 5 Bytes JMP 000F0FEF
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 000F0FA6
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!system 7620B16F 5 Bytes JMP 000F0FC1
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 000F000C
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 000F0031
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_wopen 76210570 5 Bytes JMP 000F0FD2
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00100FEF
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00100040
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00100062
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00100051
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00100FDE
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00100073
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 0010000A
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00100025
.text C:\WINDOWS\system32\lsass.exe[592] WS2_32.dll!socket 75C03F00 5 Bytes JMP 000E0FEF
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 004A0079
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 004A00B6
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 004A00A5
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 004A0025
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 004A0F46
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 004A0F7C
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 004A0F97
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 004A0FA8
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 004A0FE5
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 004A0F06
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 004A004A
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 004A0FC3
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 004A0000
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 004A0F35
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 004A0FD4
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 004A0094
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 004A0F61
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00480000
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 0048005D
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!system 7620B16F 5 Bytes JMP 00480FD2
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00480FE3
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00480038
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00480011
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00490FEF
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00490022
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00490F80
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00490F91
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00490000
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00490F65
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00490FCA
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00490011
.text C:\WINDOWS\system32\svchost.exe[708] WS2_32.dll!socket 75C03F00 5 Bytes JMP 00470FEF
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 003800B6
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 003800F6
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 003800E5
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00380FDE
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 003800A5
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00380FA8
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7770B6BF 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00380FC3
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00380080
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00380025
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00380111
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 0038004A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00380065
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 0038000A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00380F7C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00380FEF
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00380F61
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00380F97
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_open 761D7E48 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 002E0042
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!system 7620B16F 5 Bytes JMP 002E0031
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 002E0FC1
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 002E0016
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wopen 76210570 5 Bytes JMP 002E0FD2
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00370000
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00370FB6
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00370F9B
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 0037003D
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00370FE5
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00370F8A
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00370011
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00370022
.text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!socket 75C03F00 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00FC0F43
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00FC009B
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00FC0F10
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00FC0F5E
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!VirtualProtect 777050AB 3 Bytes JMP 00FC005B
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!VirtualProtect + 4 777050AF 1 Byte [89]
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7770B6BF 3 Bytes JMP 00FC0040
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryExW + 4 7770B6C3 1 Byte [89]
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7770BC8B 3 Bytes JMP 00FC0F79
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryExA + 4 7770BC8F 1 Byte [89]
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateFileW 77710B7D 3 Bytes JMP 00FC0FE5
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateFileW + 4 77710B81 1 Byte [89]
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00FC0EEB
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00FC0F9E
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00FC0025
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00FC0000
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00FC0F32
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00FC0F21
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00FC0076
.text C:\WINDOWS\System32\svchost.exe[952] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00F60FE3
.text C:\WINDOWS\System32\svchost.exe[952] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00F60FAD
.text C:\WINDOWS\System32\svchost.exe[952] msvcrt.dll!system 7620B16F 5 Bytes JMP 00F60042
.text C:\WINDOWS\System32\svchost.exe[952] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00F6001D
.text C:\WINDOWS\System32\svchost.exe[952] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00F60FD2
.text C:\WINDOWS\System32\svchost.exe[952] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00F6000C
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00F70025
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00F70036
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00F70047
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\System32\svchost.exe[952] WS2_32.dll!socket 75C03F00 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00AD0F54
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00AD0F25
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00AD00C4
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00AD007D
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00AD0062
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00AD0047
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00AD0F94
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00AD001B
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00AD00D5
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00AD0FCA
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00AD0FA5
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00AD0098
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00AD0036
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00AD00A9
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00AD0F65
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00A30000
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00A30F8B
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!system 7620B16F 5 Bytes JMP 00A30FA6
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00A30FD2
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00A30FB7
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00A30FE3
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00A8000A
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00A80FDB
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00A8006C
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00A8001B
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00A80FB9
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00A8002C
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00A80047
.text C:\WINDOWS\System32\svchost.exe[1040] WS2_32.dll!socket 75C03F00 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00D3007A
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00D300C8
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00D300AD
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00D30F5B
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00D30F76
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00D3004E
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00D30F9B
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00D30F22
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00D3002C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00D3003D
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00D3008B
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00D3009C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00D30069
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00CD0FCD
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!system 7620B16F 5 Bytes JMP 00CD0058
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00CD003D
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00CE0051
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00CE0073
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00CE0062
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00CE0FB6
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 75C03F00 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 004B00BD
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 004B00F3
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 004B00E2
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 004B0036
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 004B00AC
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 004B0F94
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 004B0FB9
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 004B0076
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 004B001B
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 004B0104
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 004B0FD4
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 004B0051
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 004B000A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 004B0F79
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 004B0FE5
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 004B0F68
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 004B0091
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00490000
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00490022
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!system 7620B16F 5 Bytes JMP 00490FA1
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00490FCD
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00490FBC
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00490011
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 004A0000
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 004A0FCA
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 004A0FA5
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 004A0051
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 004A0011
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 004A0062
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 004A002C
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 004A0FE5
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket 75C03F00 3 Bytes JMP 004C000A
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket + 4 75C03F04 1 Byte [8A]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 02FD0F68
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 02FD00E2
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 02FD00C7
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 02FD0FC3
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 02FD0087
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 02FD0076
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 02FD0F94
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 02FD0051
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileW 77710B7D 3 Bytes JMP 02FD0014
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileW + 4 77710B81 1 Byte [8B]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 77711857 3 Bytes JMP 02FD00FD
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetProcAddress + 4 7771185B 1 Byte [8B]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 77712884 3 Bytes JMP 02FD002F
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA + 4 77712888 1 Byte [8B]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 777128D2 3 Bytes JMP 02FD0040
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW + 4 777128D6 1 Byte [8B]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileA 7771291C 3 Bytes JMP 02FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileA + 4 77712920 1 Byte [8B]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 77717CD5 3 Bytes JMP 02FD0F4D
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW + 4 77717CD9 1 Byte [8B]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 02FD0FDE
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 02FD00AC
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 02FD0F83
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00E60FE3
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00E6003D
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!system 7620B16F 5 Bytes JMP 00E60FBC
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00E6002C
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00E70025
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00E70047
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00E70F8A
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\svchost.exe[1516] WS2_32.dll!socket 75C03F00 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 002200C7
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 002200E2
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00220F57
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00220047
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00220F94
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 777050AB 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00220FAF
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00220087
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00220FCA
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 0022001B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 002200F3
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00220FE5
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 0022006C
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00220000
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00220F79
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00220036
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00220F68
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 002200A2
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00200FEF
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 0020003A
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!system 7620B16F 5 Bytes JMP 00200FB9
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00200018
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00200029
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00200FDE
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00210FEF
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00210FB9
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 0021005B
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00210036
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 0021000A
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 0021006C
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00210FD4
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00210025
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] ntdll.dll!NtQueryInformationProcess 777E54B0 5 Bytes JMP 003D39A4
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] ntdll.dll!LdrLoadDll 777FF625 5 Bytes JMP 00DA1430 C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!closesocket 75C03BED 5 Bytes JMP 003BCDEA
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!recv 75C047DF 5 Bytes JMP 003BCB98
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!GetAddrInfoW 75C060F5 5 Bytes JMP 003BC175
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!getaddrinfo 75C06737 5 Bytes JMP 003BC095
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!WSASend 75C068A7 5 Bytes JMP 003BCC42
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!WSARecv 75C0C29F 5 Bytes JMP 003BCD03
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!send 75C0C4C8 5 Bytes JMP 003BCAF2
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!WSAAsyncGetHostByName 75C16D2A 5 Bytes JMP 003BC41F
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] WS2_32.dll!gethostbyname 75C17133 5 Bytes JMP 003BBFD8
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] USER32.dll!DrawTextExW 76507BDD 5 Bytes JMP 003BD3C5
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] USER32.dll!DrawTextW 76508220 5 Bytes JMP 003BD201
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] USER32.dll!SetClipboardData 76514979 5 Bytes JMP 003BCE78
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] USER32.dll!DrawTextA 7651A482 5 Bytes JMP 003BD125
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] USER32.dll!DrawTextExA 7651A4B9 5 Bytes JMP 003BD2DD
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] USER32.dll!DialogBoxParamW 7652564A 5 Bytes JMP 003BC4FA
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] GDI32.dll!ExtTextOutW 76708053 2 Bytes JMP 003BD592
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] GDI32.dll!ExtTextOutW + 3 76708056 2 Bytes [CB, 89]
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] GDI32.dll!GetGlyphIndicesW 7670B521 5 Bytes JMP 003BDA13
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] GDI32.dll!ExtTextOutA 76710158 5 Bytes JMP 003BD4AD
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] GDI32.dll!TextOutA 76710878 5 Bytes JMP 003BCF8B
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] GDI32.dll!TextOutW 767214B9 5 Bytes JMP 003BD058
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe[1832] GDI32.dll!GetGlyphIndicesA 7672BC42 5 Bytes JMP 003BD949
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 010D0F57
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 010D00B6
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 010D009B
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 010D001E
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 010D0F68
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 010D0F83
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 010D0F94
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 010D0051
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 010D0FD4
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 010D0F06
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 010D002F
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 010D0040
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 010D0F3C
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateNamedPipeA 7774D5BF 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 010D0FC3
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 010D0F21
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 010D0076
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_open 761D7E48 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 0103004C
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!system 7620B16F 5 Bytes JMP 01030FC1
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 01030FE3
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 01030FD2
.text C:\WINDOWS\system32\svchost.exe[1856] msvcrt.dll!_wopen 76210570 5 Bytes JMP 0103001D
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 0108000A
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 01080FCA
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 01080051
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 01080FAF
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 01080FEF
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 0108006C
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 01080025
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 01080036
.text C:\WINDOWS\system32\svchost.exe[1856] WS2_32.dll!socket 75C03F00 5 Bytes JMP 01020FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 03AE0F76
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 03AE0F14
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 03AE0F2F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 03AE0025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 03AE009F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 03AE007D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 03AE0062
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 03AE0051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 03AE000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 03AE00C4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 03AE0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 03AE0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 03AE0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 03AE0F5B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 03AE0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 03AE0F4A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 03AE008E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] msvcrt.dll!_open 761D7E48 5 Bytes JMP 03980000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 03980042
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] msvcrt.dll!system 7620B16F 5 Bytes JMP 03980FB7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 03980FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 03980FC8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] msvcrt.dll!_wopen 76210570 5 Bytes JMP 03980011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 03990000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 03990FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 03990051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 03990FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 03990011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 03990062
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 03990FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 03990036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2328] WS2_32.dll!socket 75C03F00 5 Bytes JMP 03970000
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00210068
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 002100AF
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 0021009E
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00210FC3
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00210F35
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00210F61
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00210F7C
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00210039
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00210FEF
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00210F09
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00210FB2
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00210F97
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00210000
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00210083
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00210FD4
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00210F24
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00210F50
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_open 761D7E48 5 Bytes JMP 001F0000
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 001F0FB5
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!system 7620B16F 5 Bytes JMP 001F0FC6
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 001F001B
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 001F002C
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_wopen 76210570 5 Bytes JMP 001F0FD7
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00200FEF
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 0020002F
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00200040
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00200FA8
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00200000
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00200051
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00200FCA
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00200FB9
.text C:\WINDOWS\System32\svchost.exe[2620] WS2_32.dll!socket 75C03F00 5 Bytes JMP 001E0FEF
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00110073
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00110F00
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 0011009F
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 0011002C
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00110F4A
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00110F80
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00110FA5
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00110062
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 0011001B
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00110EE5
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00110FB6
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00110047
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00110000
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00110F25
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00110FDB
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 0011008E
.text C:\WINDOWS\system32\svchost.exe[2676] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00110F6F
.text C:\WINDOWS\system32\svchost.exe[2676] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00020000
.text C:\WINDOWS\system32\svchost.exe[2676] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00020FA6
.text C:\WINDOWS\system32\svchost.exe[2676] msvcrt.dll!system 7620B16F 5 Bytes JMP 00020031
.text C:\WINDOWS\system32\svchost.exe[2676] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00020FD2
.text C:\WINDOWS\system32\svchost.exe[2676] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00020FC1
.text C:\WINDOWS\system32\svchost.exe[2676] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00020FE3
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00120FE5
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00120FA8
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00120040
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 0012002F
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00120FD4
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00120051
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00120FC3
.text C:\WINDOWS\system32\svchost.exe[2676] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00120014
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 004200C4
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 004200E9
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00420F54
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00420FDB
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 004200B3
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00420098
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00420FB6
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00420069
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 0042001B
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00420F2F
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00420047
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00420058
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00420000
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00420F8A
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 0042002C
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00420F6F
.text C:\WINDOWS\system32\svchost.exe[2708] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00420FA5
.text C:\WINDOWS\system32\svchost.exe[2708] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00370000
.text C:\WINDOWS\system32\svchost.exe[2708] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00370033
.text C:\WINDOWS\system32\svchost.exe[2708] msvcrt.dll!system 7620B16F 5 Bytes JMP 00370022
.text C:\WINDOWS\system32\svchost.exe[2708] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00370FBC
.text C:\WINDOWS\system32\svchost.exe[2708] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00370011
.text C:\WINDOWS\system32\svchost.exe[2708] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00370FE3
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00380000
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00380FB9
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00380FA8
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00380040
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00380FDB
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00380F97
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00380FCA
.text C:\WINDOWS\system32\svchost.exe[2708] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 0038001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00880080
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00880F1E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 008800BD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 0088001E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 0088006F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00880F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00880F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00880F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00880FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 008800CE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 0088002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00880040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00880FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 0088009B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00880FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 008800AC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00880F61
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00860000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00860FC8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] msvcrt.dll!system 7620B16F 5 Bytes JMP 00860FD9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00860038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00860053
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] msvcrt.dll!_wopen 76210570 5 Bytes JMP 0086001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00870000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00870040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 0087005B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00870FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 00870FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00870F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00870FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00870025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2968] WS2_32.dll!socket 75C03F00 5 Bytes JMP 004F0FEF
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00010F09
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 0001008A
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00010079
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00010FA8
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00010F24
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00010F50
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00010F61
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 0001001E
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00010FCA
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 0001009B
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00010F8D
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00010F7C
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00010FE5
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 0001004D
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00010FB9
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00010068
.text C:\WINDOWS\system32\svchost.exe[4136] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00010F3F
.text C:\WINDOWS\system32\svchost.exe[4136] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\svchost.exe[4136] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 0006005D
.text C:\WINDOWS\system32\svchost.exe[4136] msvcrt.dll!system 7620B16F 5 Bytes JMP 0006004C
.text C:\WINDOWS\system32\svchost.exe[4136] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\svchost.exe[4136] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\svchost.exe[4136] msvcrt.dll!_wopen 76210570 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\svchost.exe[4136] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\svchost.exe[4136] WS2_32.dll!socket 75C03F00 5 Bytes JMP 00390000
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe[5768] USER32.dll!SetWindowLongA 764FB1E3 5 Bytes JMP 585FCF00 C:\Program Files\Mozilla Firefox 4.0 Beta 7\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe[5768] USER32.dll!SetWindowLongW 76506614 5 Bytes JMP 585FCEA0 C:\Program Files\Mozilla Firefox 4.0 Beta 7\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe[5768] USER32.dll!TrackPopupMenu 76524B3B 5 Bytes JMP 58461695 C:\Program Files\Mozilla Firefox 4.0 Beta 7\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00010076
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 000100CE
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 000100BD
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00010FAF
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00010F4D
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00010F5E
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00010F6F
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00010F94
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00010FD4
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 000100E9
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00010025
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00010036
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00010FEF
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00010087
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00010000
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00010098
.text C:\WINDOWS\Explorer.EXE[5952] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00010051
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 00110FEF
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 00110047
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 00110062
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 00110FC0
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 0011000A
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 00110F9B
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 00110025
.text C:\WINDOWS\Explorer.EXE[5952] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 00110036
.text C:\WINDOWS\Explorer.EXE[5952] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00120FEF
.text C:\WINDOWS\Explorer.EXE[5952] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00120070
.text C:\WINDOWS\Explorer.EXE[5952] msvcrt.dll!system 7620B16F 5 Bytes JMP 00120055
.text C:\WINDOWS\Explorer.EXE[5952] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 00120029
.text C:\WINDOWS\Explorer.EXE[5952] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 0012003A
.text C:\WINDOWS\Explorer.EXE[5952] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00120018
.text C:\WINDOWS\Explorer.EXE[5952] WS2_32.dll!socket 75C03F00 5 Bytes JMP 03C60000
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00010076
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00010EFC
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00010091
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00010FCA
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00010F57
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 00010F72
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00010040
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 00010F83
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00010011
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 000100AC
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 00010FAF
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00010F94
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00010000
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00010F32
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00010FE5
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00010F0D
.text C:\WINDOWS\system32\wuauclt.exe[7196] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00010065
.text C:\WINDOWS\system32\wuauclt.exe[7196] msvcrt.dll!_open 761D7E48 5 Bytes JMP 000E000C
.text C:\WINDOWS\system32\wuauclt.exe[7196] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 000E0FAD
.text C:\WINDOWS\system32\wuauclt.exe[7196] msvcrt.dll!system 7620B16F 5 Bytes JMP 000E0FC8
.text C:\WINDOWS\system32\wuauclt.exe[7196] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 000E001D
.text C:\WINDOWS\system32\wuauclt.exe[7196] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 000E0038
.text C:\WINDOWS\system32\wuauclt.exe[7196] msvcrt.dll!_wopen 76210570 5 Bytes JMP 000E0FE3
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 000F0FE5
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 000F0F8D
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 000F0025
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 000F000A
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 000F0FD4
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 000F0F68
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 000F0FB9
.text C:\WINDOWS\system32\wuauclt.exe[7196] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 000F0FA8
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!GetStartupInfoA 776C1DF0 5 Bytes JMP 00010F40
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!CreateProcessW 776C202D 5 Bytes JMP 00010098
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!CreateProcessA 776C2062 5 Bytes JMP 00010F0D
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!CreateNamedPipeW 776F1FD6 5 Bytes JMP 00010FD1
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!CreatePipe 776F4A8B 5 Bytes JMP 00010F51
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!VirtualProtect 777050AB 5 Bytes JMP 0001005F
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!LoadLibraryExW 7770B6BF 5 Bytes JMP 00010F87
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!LoadLibraryExA 7770BC8B 5 Bytes JMP 0001004E
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!CreateFileW 77710B7D 5 Bytes JMP 00010011
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!GetProcAddress 77711857 5 Bytes JMP 00010EE8
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!LoadLibraryA 77712884 5 Bytes JMP 0001003D
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!LoadLibraryW 777128D2 5 Bytes JMP 00010FB6
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!CreateFileA 7771291C 5 Bytes JMP 00010000
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!GetStartupInfoW 77717CD5 5 Bytes JMP 00010F2F
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!CreateNamedPipeA 7774D5BF 5 Bytes JMP 00010022
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!WinExec 7774E76D 5 Bytes JMP 00010F1E
.text C:\WINDOWS\system32\svchost.exe[7972] kernel32.dll!VirtualProtectEx 7774F729 5 Bytes JMP 00010F6C
.text C:\WINDOWS\system32\svchost.exe[7972] msvcrt.dll!_open 761D7E48 5 Bytes JMP 00210000
.text C:\WINDOWS\system32\svchost.exe[7972] msvcrt.dll!_wsystem 7620B04F 5 Bytes JMP 00210FB5
.text C:\WINDOWS\system32\svchost.exe[7972] msvcrt.dll!system 7620B16F 5 Bytes JMP 00210036
.text C:\WINDOWS\system32\svchost.exe[7972] msvcrt.dll!_creat 7620ED29 5 Bytes JMP 0021001B
.text C:\WINDOWS\system32\svchost.exe[7972] msvcrt.dll!_wcreat 7621038E 5 Bytes JMP 00210FC6
.text C:\WINDOWS\system32\svchost.exe[7972] msvcrt.dll!_wopen 76210570 5 Bytes JMP 00210FE3
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegOpenKeyA 7745D2ED 5 Bytes JMP 003B0FEF
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegCreateKeyA 7745D3C1 5 Bytes JMP 003B002F
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegCreateKeyExA 77461B71 5 Bytes JMP 003B0F8D
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegCreateKeyW 77461CC0 5 Bytes JMP 003B0FA8
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegOpenKeyW 77463129 5 Bytes JMP 003B0FDE
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegCreateKeyExW 7746B946 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegCreateKeyExW 7746B946 5 Bytes JMP 003B004A
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegOpenKeyExA 7746BC0D 5 Bytes JMP 003B000A
.text C:\WINDOWS\system32\svchost.exe[7972] ADVAPI32.dll!RegOpenKeyExW 7746BEC4 5 Bytes JMP 003B0FB9

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000005c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:29 AM

Posted 30 November 2010 - 07:45 AM

Hello, Klamis.
Looks like you posted the log.txt instead of the info.txt. If you decide to proceed with the fix below, then please post the info.txt :)

Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.

 

We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please go here and download combofix from one of the locations listed
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper,


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 Klamis

Klamis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 30 November 2010 - 12:25 PM

I !<3 malware,

Thank you very much for the help!

This is my primary computer where I do everything. Oh well, time to reformat.

Again, thanks for your help. Not good news, but it is better to know.

Kevin

#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:29 AM

Posted 30 November 2010 - 12:27 PM

You're very welcome. Better safe than sorry :)

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users