Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disk Optimizer - Cannot Remove


  • This topic is locked This topic is locked
36 replies to this topic

#1 JP2010

JP2010

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 25 January 2011 - 08:39 PM

Huge Props to Elise on this forum!

She helped me get my PC back up and running after windows xp ran into a few serious issues. Unable to load windows(blinking cursor on startup), I was crippled until Elise saved me...she is a great and valuable team member of BleepingComputer.com !

Now onto the Malware. I have Disk Optimizer on my PC. This is basically what caused my initial crash...

Once back up on Windows, I followed the guidlines in the spyware removal section for this program (Disk Optimizer). First I loaded RKill (which killed the malware running), and then ran a full scan with updated MBAM. On the first complete scan MBAM removed a found, and removed a few files. MBAM also requested a restart, and i followed. As soon as Windows began to load the Disk Optimizer was back. I ran the same procedure a few times but it does not want to be irradicated. I have Macafee running, and I think I should disable it. Im not sure what to do next, even though i have been on this forum before requesting similar help.( and know some of the methods used to clean my pc) However, I know the rules. Listen to the experts! So Im listening. I am ready to proceed.

I am posting the Rkill log here:

Rkill was run on 01/25/2011 at 18:16:54.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\RNQYXiJlQCTsVhJ.exe
C:\DOCUME~1\JP.XPS\LOCALS~1\Temp\clclean.0001
C:\Documents and Settings\All Users\Application Data\QgmCKVyti2pT.exe


Rkill completed on 01/25/2011 at 18:17:07

Thanks - JP

Edited by JP2010, 25 January 2011 - 09:29 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:47 AM

Posted 25 January 2011 - 10:56 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 25 January 2011 - 11:15 PM

Hey FireMan Thanks for your help. I have donwloaded both, but have been unable to get the DDS scan to complete. The only way i am able to run my infected PC, is by initially running Rkill(iexplore download link) listed on BC. How do i disable any script protection? I have used DDS before but now it wont run. I am only running Macafee, as far as i know. The Scan did freeze everytime i attempted to run it.

Edited by JP2010, 25 January 2011 - 11:38 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:47 AM

Posted 26 January 2011 - 12:21 PM

Hello,

We will try another scanner. The malware may be affecting DDS from running.

  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


I will need these results plus Gmer results from my previous post. If you can't get Gmer to run in normal mode try Safemode.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2011 - 02:04 PM

Per your request. OTL Worked, and so did Gmer.

OTL logfile created on: 1/26/2011 10:41:04 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\JP.XPS\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 54.44 Gb Total Space | 9.21 Gb Free Space | 16.92% Space Free | Partition Type: NTFS

Computer Name: XPS | User Name: JP | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/26 10:39:37 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JP.XPS\Desktop\OTL.exe
PRC - [2011/01/25 23:17:56 | 000,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\JP.XPS\Local Settings\temp\clclean.0001
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/09/30 13:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/09/30 13:10:36 | 001,155,256 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2010/09/30 13:10:36 | 000,822,048 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcupdate.exe
PRC - [2010/09/08 09:45:10 | 001,034,752 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
PRC - [2010/09/08 09:44:50 | 000,484,352 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
PRC - [2010/09/08 09:42:28 | 005,185,536 | ---- | M] (Western Digital Technologies, Inc.) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
PRC - [2010/09/08 09:41:36 | 000,237,056 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2009/06/26 16:21:00 | 000,757,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX1000.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/26 13:47:40 | 000,598,856 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\WasherSvc.exe
PRC - [2006/10/23 04:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2006/07/01 08:03:04 | 000,069,632 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2006/04/06 11:57:54 | 000,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/03/24 20:33:58 | 000,081,920 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2005/12/28 09:04:56 | 000,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2005/12/28 08:56:16 | 000,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2005/12/28 08:55:40 | 000,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2005/12/28 08:52:32 | 000,397,381 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2005/12/28 08:47:10 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/12/28 08:45:02 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/12/28 08:44:24 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2003/08/27 07:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


========== Modules (SafeList) ==========

MOD - [2011/01/26 10:39:37 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JP.XPS\Desktop\OTL.exe
MOD - [2010/08/23 08:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 20:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/09/08 09:45:10 | 001,034,752 | ---- | M] () [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe -- (WDFME)
SRV - [2010/09/08 09:44:50 | 000,484,352 | ---- | M] () [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe -- (WDSC)
SRV - [2010/09/08 09:41:36 | 000,237,056 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2007/11/26 13:47:40 | 000,598,856 | ---- | M] (Webroot Software, Inc.) [Auto | Running] -- C:\Program Files\Webroot\Washer\WasherSvc.exe -- (wwEngineSvc)
SRV - [2006/10/23 04:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [2006/07/01 08:03:04 | 000,069,632 | ---- | M] (Creative Labs) [Auto | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2006/04/06 11:57:54 | 000,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2006/03/24 20:33:58 | 000,081,920 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2005/12/28 09:04:56 | 000,262,217 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2005/12/28 08:47:10 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2005/12/28 08:45:02 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2005/12/28 08:44:24 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2003/08/27 07:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 22:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/07/15 14:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/04/13 20:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/11/23 08:43:30 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 08:43:30 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 08:43:28 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/06/26 16:21:02 | 001,956,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/13 10:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 10:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 10:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 08:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/07/01 08:11:05 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/03/24 20:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/08 15:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/01/04 04:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2005/12/28 10:22:08 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/12/04 13:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/12/01 04:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 04:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 04:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/09/12 00:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 02:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 02:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 02:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 02:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 02:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 02:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 02:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 09:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 09:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 14:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/12 02:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/08/05 13:32:16 | 000,045,312 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/07/14 20:58:14 | 000,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/07/14 19:28:38 | 000,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/07/12 21:00:30 | 000,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/05/25 06:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN)
DRV - [2005/01/10 07:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/01/10 07:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2004/10/19 06:07:22 | 000,009,728 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PfModNT.sys -- (PfModNT)
DRV - [2004/08/03 19:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/07/16 06:27:40 | 000,043,264 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2003/01/10 13:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/08/15 14:27:04 | 000,011,721 | ---- | M] (SMaL Camera Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smallogi.sys -- (SMALUSB)
DRV - [2001/08/17 11:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 11:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 11:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 11:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 11:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 10:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 10:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 10:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 10:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 10:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 10:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 10:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 10:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 10:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 10:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7E AD C8 76 A4 83 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/01/10 18:01:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{BF004F0B-70CD-4015-8FC9-024A5A26C21F}: C:\Documents and Settings\JP.XPS\Local Settings\Application Data\{BF004F0B-70CD-4015-8FC9-024A5A26C21F} [2011/01/14 18:18:48 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/12/28 10:42:55 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101130175831.dll (McAfee, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [MBMon] C:\WINDOWS\System32\CTMBHA.DLL ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe (Webroot Software, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (Western Digital Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\JP.XPS\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 10:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{39145424-fa7a-11de-b89a-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{39145424-fa7a-11de-b89a-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{39145424-fa7a-11de-b89a-00038a000015}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{c5a82ead-017e-11de-b806-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{c5a82ead-017e-11de-b806-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c5a82ead-017e-11de-b806-00038a000015}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/01/26 10:39:35 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JP.XPS\Desktop\OTL.exe
[2011/01/26 00:27:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JP.XPS\Desktop\gmer
[2011/01/25 23:17:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/01/14 18:18:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JP.XPS\Local Settings\Application Data\{BF004F0B-70CD-4015-8FC9-024A5A26C21F}
[2011/01/14 18:16:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\lEcBj06510
[2011/01/14 11:41:53 | 000,000,000 | -HSD | C] -- C:\found.000
[2011/01/10 22:47:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JP.XPS\My Documents\Cruise

========== Files - Modified Within 30 Days ==========

[2011/01/26 10:39:37 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JP.XPS\Desktop\OTL.exe
[2011/01/26 03:55:45 | 000,103,141 | ---- | M] () -- C:\Documents and Settings\JP.XPS\Desktop\ark.text
[2011/01/25 23:17:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/25 23:17:47 | 2674,147,328 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/25 23:16:32 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2011/01/25 20:34:49 | 000,051,815 | ---- | M] () -- C:\VETlog.dmp
[2011/01/25 19:32:10 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rcasalogujag.dat
[2011/01/25 13:31:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/25 12:12:25 | 000,719,873 | ---- | M] () -- C:\Documents and Settings\JP.XPS\Desktop\iExplore.exe
[2011/01/25 12:08:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Tguxozotuqolezib.bin
[2011/01/25 11:59:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/14 00:55:08 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\JP.XPS\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/01/06 02:05:01 | 000,226,304 | ---- | M] () -- C:\Documents and Settings\JP.XPS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011/01/26 03:55:45 | 000,103,141 | ---- | C] () -- C:\Documents and Settings\JP.XPS\Desktop\ark.text
[2011/01/25 12:12:21 | 000,719,873 | ---- | C] () -- C:\Documents and Settings\JP.XPS\Desktop\iExplore.exe
[2011/01/14 18:18:50 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rcasalogujag.dat
[2011/01/14 18:18:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Tguxozotuqolezib.bin
[2010/01/28 01:32:58 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\liplW7.dll
[2010/01/28 01:32:58 | 000,290,816 | ---- | C] () -- C:\WINDOWS\System32\liplA6.dll
[2010/01/28 01:32:58 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\liplP6.dll
[2010/01/28 01:32:58 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\liplM6.dll
[2010/01/28 01:32:58 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\lipl.dll
[2010/01/28 01:32:58 | 000,004,298 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/01/28 01:32:51 | 000,000,264 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009/06/26 16:21:02 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/03/15 18:13:08 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2009/03/15 18:03:47 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/12/07 20:45:39 | 000,000,063 | ---- | C] () -- C:\WINDOWS\RClient.INI
[2007/10/26 02:50:54 | 000,001,773 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/07 21:40:04 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2007/10/07 21:40:02 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/09/20 21:40:00 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/09/20 21:40:00 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/07/26 22:11:54 | 000,226,304 | ---- | C] () -- C:\Documents and Settings\JP.XPS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/07/14 16:51:47 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\JP.XPS\Application Data\dvd.bmk
[2006/07/14 14:53:32 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\JP.XPS\Local Settings\Application Data\fusioncache.dat
[2006/07/13 16:09:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/01 08:23:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/07/01 08:18:17 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/07/01 08:04:18 | 000,010,820 | ---- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2006/07/01 08:03:06 | 000,000,032 | ---- | C] () -- C:\WINDOWS\System32\mes2046.dll
[2006/07/01 08:02:46 | 000,022,629 | ---- | C] () -- C:\WINDOWS\System32\CiFilter.ini
[2006/07/01 08:02:07 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/07/01 07:37:18 | 001,355,938 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2006/07/01 07:37:00 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/07/01 07:36:24 | 000,000,386 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/04/18 11:09:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 10:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 10:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 09:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/07 02:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2011/01/25 12:01:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\lEcBj06510
[2006/08/10 15:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MANSION
[2009/02/23 01:20:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/02/15 20:16:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/01/07 00:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WD_SmartWareCommon
[2010/01/07 00:12:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2010/05/31 19:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/15 22:28:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/01/22 00:29:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JP.XPS\Application Data\AVSMedia
[2009/09/14 17:42:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JP.XPS\Application Data\Image Zone Express
[2006/08/17 21:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JP.XPS\Application Data\Leadertech
[2009/08/28 23:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JP.XPS\Application Data\PeaZip
[2007/02/15 22:35:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JP.XPS\Application Data\Viewpoint
[2010/01/07 00:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JP.XPS\Application Data\Western Digital

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2006/07/12 22:46:25 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe


< MD5 for: AGP440.SYS >
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/03 21:22:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/03 21:22:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 20:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/03 21:22:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/03 21:22:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 19:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 19:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 02:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 02:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 02:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< End of report >


OTL Extras logfile created on: 1/26/2011 10:41:04 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\JP.XPS\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 54.44 Gb Total Space | 9.21 Gb Free Space | 16.92% Space Free | Partition Type: NTFS

Computer Name: XPS | User Name: JP | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL Connectivity Service -- (AOL LLC)
"C:\Program Files\McAfee\MSC\mcuimgr.exe" = C:\Program Files\McAfee\MSC\mcuimgr.exe:*:Disabled:McAfee User Interface Manager
"C:\Program Files\Common Files\AOL\1170448801\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1170448801\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (AOL LLC)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\AOL 9.1\waol.exe" = C:\Program Files\AOL 9.1\waol.exe:*:Enabled:AOL -- (AOL, LLC.)
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed -- (AOL LLC)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL LLC)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\Documents and Settings\JP.XPS\Local Settings\temp\RarSFX0\PPB.exe" = C:\Documents and Settings\JP.XPS\Local Settings\temp\RarSFX0\PPB.exe:*:Enabled:PS3 Patch Blocker v1.0
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0A55CDBB-0566-4AA2-A15B-24C7F27C6FF4}" = BPD_Scan
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{138BD312-3557-40F8-BC5E-6DFF00A6880D}" = BPDSoftware_Ini
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{17E81C48-407E-499f-A105-1B49ACDB9BA4}" = ProductContext
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 20
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Management Programs
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Sonic Advanced Decoder
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AE80E7B-6633-4046-9C15-D3B281C4F73D}" = BPDSoftware
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5A7A96D2-B123-470F-BE6D-2C6570FC4FF0}" = WD Software Upgrader
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5BFE01FF-189F-4b75-8FA8-9B7CD7F9C529}" = L7500
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{6DE9751D-3FFE-400E-8761-26A92DB734DE}" = BPD_HPSU
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7729A02E-D1AD-4830-8FC5-11853500D90D}" = HP Officejet Pro All-In-One Series
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{83A881FC-79D3-4A66-A173-F38BEBA40866}" = Logitech Pocket Digital
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C045626-4496-4238-B3B8-394CC6D46427}" = 7500_7600_7700_Help
"{8C2690CF-5B74-4F93-8139-7B5644CD6A3B}" = MobileMe Control Panel
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8D2AE3F6-79DF-423C-91CB-389F6FB5837B}" = Andrea VoiceCenter
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{98D451C4-4ACA-4273-BB47-57CFE46B048E}" = WD SmartWare
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B702CCCE-3176-4DBF-B932-D1B8F402F330}" = Digital Content Portal
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C41F4616-44B6-4E8D-BFC7-4267862A2CE1}" = CinepPlayer 30 Update
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = BPDfax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"AudioConverter Studio_is1" = AudioConverter Studio 6.0
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee Internet Security
"MSNINST" = MSN
"Peggle Deluxe 1.0" = Peggle Deluxe 1.0
"Peggle Nights Deluxe 1.0" = Peggle Nights Deluxe 1.0
"PokerStars" = PokerStars
"ProInst" = Intel® PROSet/Wireless Software
"RealPlayer 6.0" = RealPlayer Basic
"SAMB_ADVMB_FILTER_DRV" = Sound Blaster ADVANCED MB Drivers
"Sound Blaster Audigy ADVANCED MB Product Registration" = Sound Blaster Audigy ADVANCED MB Product Registration
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SUPER ©" = SUPER © Version 2009.bld.35 (Jan 5, 2009)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"Window Washer" = Window Washer
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{9863F141-7A33-4c9a-A5F2-96996461B216}" = KODAK EASYSHARE Gallery Easy Upload, v2.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/26/2011 12:31:45 AM | Computer Name = XPS | Source = STacSV | ID = 268435455
Description =

Error - 1/26/2011 3:04:31 AM | Computer Name = XPS | Source = STacSV | ID = 268435455
Description =

Error - 1/26/2011 3:14:38 AM | Computer Name = XPS | Source = STacSV | ID = 268435455
Description =

Error - 1/26/2011 3:17:57 AM | Computer Name = XPS | Source = STacSV | ID = 268435455
Description =

Error - 1/26/2011 9:11:30 AM | Computer Name = XPS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/26/2011 9:11:30 AM | Computer Name = XPS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 15469

Error - 1/26/2011 9:11:30 AM | Computer Name = XPS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 15469

Error - 1/26/2011 2:37:58 PM | Computer Name = XPS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/26/2011 2:37:58 PM | Computer Name = XPS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 19603047

Error - 1/26/2011 2:37:58 PM | Computer Name = XPS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 19603047

[ System Events ]
Error - 1/8/2011 9:33:49 PM | Computer Name = XPS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the MOBKbackup service.

Error - 1/8/2011 9:34:19 PM | Computer Name = XPS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the MOBKbackup service.

Error - 1/8/2011 9:34:49 PM | Computer Name = XPS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the MOBKbackup service.

Error - 1/8/2011 9:35:19 PM | Computer Name = XPS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the MOBKbackup service.

Error - 1/8/2011 9:35:49 PM | Computer Name = XPS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the MOBKbackup service.

Error - 1/8/2011 9:36:19 PM | Computer Name = XPS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the MOBKbackup service.

Error - 1/10/2011 10:00:39 PM | Computer Name = XPS | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.64 on
the Network Card with network address 001302A64E29.

Error - 1/25/2011 4:00:24 PM | Computer Name = XPS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 1/25/2011 8:28:12 PM | Computer Name = XPS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.68 for the Network Card with network
address 001302A64E29 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 1/26/2011 9:11:07 AM | Computer Name = XPS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the WDFME service.


< End of report >



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-26 03:55:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK6032GSX rev.AS312D
Running: gmer.exe; Driver: C:\DOCUME~1\JP.XPS\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9ED50E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9ED50F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9ED5120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9ED5176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9ED50CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9ED50A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9ED50B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9ED510A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9ED514C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9ED5136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9ED51A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9ED518C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9ED5160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9ED5164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B9ED517A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B9ED5190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP B9ED5150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B9ED50A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B9ED50BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B9ED51A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B9ED513A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B9ED510E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B9ED50E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B9ED50F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B9ED5124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B9ED50D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xA8D36280]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[552] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[552] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\svchost.exe[552] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F5A
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0059
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F75
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F86
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F2C
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F49
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00AA
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB008F
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0EF6
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F97
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0074
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0014
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!WinExec 7C86250D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F11
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0FA5
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DA, 88]
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FDB
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0033
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD000C
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[592] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F5C
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00D3
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F3A
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0062
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30073
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30062
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30047
.text C:\WINDOWS\system32\svchost.exe[592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FA6
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FB7
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C2000C
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20027
.text C:\WINDOWS\system32\svchost.exe[592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[592] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[592] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[592] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\system32\svchost.exe[592] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00C00FA5
.text C:\WINDOWS\system32\svchost.exe[592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 05B00000
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05B00FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 05B0001B
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05AF0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05AF0F50
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05AF0F6B
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05AF0F7C
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05AF0F8D
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05AF002F
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05AF0F35
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05AF007B
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05AF00B3
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05AF00A2
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05AF0F09
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05AF0FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05AF0FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05AF006A
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05AF0FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05AF0014
.text C:\Program Files\Internet Explorer\iexplore.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05AF0F24
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05AE002F
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05AE0FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05AE0014
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05AE0FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05AE0076
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05AE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 05AE005B
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05AE0040
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05AD0044
.text C:\Program Files\Internet Explorer\iexplore.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 05AD0033
.text C:\Program Files\Internet Explorer\iexplore.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 05AD0FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05AD0000
.text C:\Program Files\Internet Explorer\iexplore.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05AD0FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 05AD0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[968] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 05AB0000
.text C:\Program Files\Internet Explorer\iexplore.exe[968] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 05AB0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[968] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 05AB0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[968] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 05AB0FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[968] ws2_32.dll!socket 71AB4211 5 Bytes JMP 05AC0000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1436] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\services.exe[1436] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0070002C
.text C:\WINDOWS\system32\services.exe[1436] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00700011
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0071
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F0F7C
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F0054
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0039
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F0FB2
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F009D
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F0F4B
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00C9
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F00AE
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F00DA
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0FA1
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0082
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\services.exe[1436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F0F3A
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D5002C
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50FAF
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D5006C
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50047
.text C:\WINDOWS\system32\services.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FC0
.text C:\WINDOWS\system32\services.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00720FA3
.text C:\WINDOWS\system32\services.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 0072002E
.text C:\WINDOWS\system32\services.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00720FE3
.text C:\WINDOWS\system32\services.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00720000
.text C:\WINDOWS\system32\services.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00720FC8
.text C:\WINDOWS\system32\services.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0072001D
.text C:\WINDOWS\system32\services.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\lsass.exe[1448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\lsass.exe[1448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\lsass.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40F5B
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40050
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40F76
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40033
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40022
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40092
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40081
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F1E
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E400B7
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E40F03
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40F9B
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E40F4A
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\lsass.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F2F
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90F61
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E90FDE
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90F72
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E90F83
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [09, 89]
.text C:\WINDOWS\system32\lsass.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E90F9E
.text C:\WINDOWS\system32\lsass.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\lsass.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80FCD
.text C:\WINDOWS\system32\lsass.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80033
.text C:\WINDOWS\system32\lsass.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\lsass.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\lsass.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80018
.text C:\WINDOWS\system32\lsass.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02110FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02110011
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02110000
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02100FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02100093
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02100078
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02100067
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02100F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02100FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021000D0
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 021000BF
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02100106
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02100F6D
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02100F52
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02100036
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0210000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 021000A4
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02100FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0210001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 021000EB
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 020F0FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 020F005F
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 020F0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 020F001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 020F004E
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 020F0000
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 020F003D
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 020F002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 020E0FC5
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] msvcrt.dll!system 77C293C7 5 Bytes JMP 020E0050
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 020E002E
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 020E000C
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 020E003F
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 020E001D
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 020C0000
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 020C0011
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 020C002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 020C003D
.text C:\Program Files\Internet Explorer\iexplore.exe[1584] ws2_32.dll!socket 71AB4211 5 Bytes JMP 020D0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD004C
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F61
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD002F
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0F72
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0F97
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F0E
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F2B
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0EE2
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD007B
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD008C
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD001E
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FDE
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0F3C
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FB2
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0FCD
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0EFD
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02420047
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02420073
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0242002C
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0242001B
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02420FC0
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0242000A
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02420062
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02420FDB
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0241005F
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!system 77C293C7 5 Bytes JMP 02410FD4
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02410FE5
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0241000C
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0241003A
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02410029
.text C:\WINDOWS\system32\svchost.exe[1628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0025
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F94
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E007D
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0FC0
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0047
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F83
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E00CB
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0101
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F5E
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0112
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0062
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E00A4
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0036
.text C:\WINDOWS\System32\svchost.exe[1644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E00E6
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FC3
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0F86
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0F97
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006D0039
.text C:\WINDOWS\System32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0FA8
.text C:\WINDOWS\System32\svchost.exe[1644] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710F9C
.text C:\WINDOWS\System32\svchost.exe[1644] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710FB7
.text C:\WINDOWS\System32\svchost.exe[1644] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FC8
.text C:\WINDOWS\System32\svchost.exe[1644] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710000
.text C:\WINDOWS\System32\svchost.exe[1644] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710027
.text C:\WINDOWS\System32\svchost.exe[1644] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710FE3
.text C:\WINDOWS\System32\svchost.exe[1644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[1676] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1676] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50025
.text C:\WINDOWS\system32\svchost.exe[1676] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F79
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F94
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40062
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40051
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40025
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40F52
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A400A4
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F26
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F41
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A400DA
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40040
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40089
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A400BF
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC0025
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0076
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC0014
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FDE
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0FAF
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AC0051
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0040
.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70049
.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70FBE
.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A7001D
.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70038
.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A7000C
.text C:\WINDOWS\system32\svchost.exe[1676] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\System32\svchost.exe[1716] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02CF0000
.text C:\WINDOWS\System32\svchost.exe[1716] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02CF0036
.text C:\WINDOWS\System32\svchost.exe[1716] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02CF0011
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CE0FEF
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02CE0067
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02CE0F72
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02CE004C
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02CE0F83
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02CE0025
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02CE0093
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02CE0078
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02CE0F26
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02CE00BF
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02CE00D0
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02CE0F9E
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02CE000A
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02CE0F57
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02CE0FB9
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02CE0FD4
.text C:\WINDOWS\System32\svchost.exe[1716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02CE00A4
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D30FCA
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D30F83
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D30FE5
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D3001B
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D30040
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D3000A
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02D30FA8
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F3, 8A]
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D30FB9
.text C:\WINDOWS\System32\svchost.exe[1716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02D20055
.text C:\WINDOWS\System32\svchost.exe[1716] msvcrt.dll!system 77C293C7 5 Bytes JMP 02D20FCA
.text C:\WINDOWS\System32\svchost.exe[1716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02D20FEF
.text C:\WINDOWS\System32\svchost.exe[1716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02D20000
.text C:\WINDOWS\System32\svchost.exe[1716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02D2003A
.text C:\WINDOWS\System32\svchost.exe[1716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02D20029
.text C:\WINDOWS\System32\svchost.exe[1716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02D10000
.text C:\WINDOWS\System32\svchost.exe[1716] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02D00FE5
.text C:\WINDOWS\System32\svchost.exe[1716] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02D00FD4
.text C:\WINDOWS\System32\svchost.exe[1716] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02D0000A
.text C:\WINDOWS\System32\svchost.exe[1716] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 02D0001B
.text C:\WINDOWS\System32\svchost.exe[1976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\System32\svchost.exe[1976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0025
.text C:\WINDOWS\System32\svchost.exe[1976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0058
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0F63
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E003D
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F80
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0022
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F46
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E008E
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E00C4
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E00B3
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0F06
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0F91
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0073
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0011
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FC0
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0F35
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FC0
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0062
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0047
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006D0036
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0FAF
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710053
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710042
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FD2
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710000
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710027
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710FE3
.text C:\WINDOWS\System32\svchost.exe[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007A0014
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00790F55
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00790F7A
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 00790054
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790F97
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790FB2
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790091
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790080
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007900E2
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007900D1
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00790F38
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00790043
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790FDE
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790065
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790FCD
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00790014
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007900B6
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007D0040
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007D0FA8
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007D0025
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007D0014
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007D0065
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007D0FB9
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9D, 88]
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007D0FD4
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0F75
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C0FB5
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0FE3
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C0F9A
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0FD2
.text C:\WINDOWS\system32\svchost.exe[1988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0093
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0051
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00C9
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F66
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00FF
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0110
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0062
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA00B8
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00E4
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0073
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0058
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0047
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FB6
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0F95
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0016
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FC1
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FA6
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[2028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC000A
.text C:\Program Files\Webroot\Washer\WasherSvc.exe[2228] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0008ED99 C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A659CD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8DF4D8F9-1CC5-81ED-5C54-03EA34D26E73}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8DF4D8F9-1CC5-81ED-5C54-03EA34D26E73}@iaooanchbgdlhkjbfk 0x6A 0x61 0x61 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8DF4D8F9-1CC5-81ED-5C54-03EA34D26E73}@hainolfmmdcnnjpm 0x6A 0x61 0x61 0x6E ...

---- EOF - GMER 1.0.15 ----

#6 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2011 - 02:09 PM

Fireman,

In oder to get my PC running, I followed the guide for disk optimizer removal. First run Rkill, Then MBAM. Both worked. MBAM found and deleted some files. I rebooted and disk optimizer popped up. So i repeasted steps. While waiting for further instruction, I went into msconfig, and removed 4 very strange looking items from the startup menu. Disk Optimizer has not loaded on start up since then. Im sure i still have the infection, but it appears bypassed at this time. Let me know what to do next after you review my logs. I did Gmer last night, and OTL this morning. I will not do another thing until you tell me to.

Thanks -

Edited by JP2010, 26 January 2011 - 02:10 PM.


#7 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2011 - 03:10 PM

FYI It would not allow me to upload the ARK.TEXT file ( Gmer log ), and i am close to my quota. I posted it. Hope thats not a prob.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:47 AM

Posted 26 January 2011 - 03:55 PM

Hello JP2010 ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


I don't see much in your logs. we will run some tools to see if they find any thing.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
TdssKiller log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2011 - 05:18 PM

I have an old version of combofix installed on my pc should I remove it first? I see it via control panel add/remove programs.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:47 AM

Posted 26 January 2011 - 05:59 PM

Hello,

Yes please delete that copy. Combofix should be downloaded to the desktop and ran from there only.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2011 - 07:58 PM

I am sorry for the confusion, i do not have combofix on my pc. I have an older version of hijack this. Should i delete it?

#12 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2011 - 08:33 PM

The kill prog found nothing.

Combo fix appears to have stalled at the scanning prompt...

:( approx 25min running, and my pc time clock is frozen at 5:06 pm

Edited by JP2010, 26 January 2011 - 08:33 PM.


#13 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 January 2011 - 08:57 PM

I have since rebooted. The screen never showed any progress on combofix. I have rebooted and turned off macafee and attempted to run it again. Again clock time has frozen and combofix screen is of a blinking cursor which is right after "badly infected machines may easily double" on the next line

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:47 AM

Posted 27 January 2011 - 12:45 AM

Hello,

Please try and run Combofix in Safemode.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 JP2010

JP2010
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 27 January 2011 - 01:30 AM

Did as instructed stalled at the same spot




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users