Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKU detects possible rootkit activity


  • This topic is locked This topic is locked
21 replies to this topic

#1 ricknorth

ricknorth

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 03 July 2011 - 01:32 AM

Hello BC,
This is a Dell Inspiron E1505 with WinXP sp3. It was previously cleaned thanks to (BC's) Myrti's help, after infection when I clicked on an evil nacha.org email and phoney "failed ACH transfer" message about 6 months ago. That thread is here. The computer was apparently clean after combofix'd. However, since this infection earlier this year, I've not trusted this machine for contacting my financial institutions. But, it's getting increasingly inconvenient to instead use separate Win7 machine for that purpose and I'd love to go back to this WinXP machine as my main computer, including for talking to my trading accounts. I don't have any specific symptom that told me this WinXP computer was in trouble... but just to feel better, I just ran RKU (still on my desktop from downloading earlier with Myrti) according to the instructions from Myrti earlier. The report ends with several "unknown threads" and the warning "possible rootkit activity!" So, I hope I can get some handholding in sorting this out. Here's the RKU report...

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB959D000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1368064 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA902D000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xA8EDA000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xB93BF000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 835584 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xA8E2A000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9E32000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA80A9000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xA7E4A000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9241000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA801D000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA71B3000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB9D98000 mfehidk.sys 339968 bytes (McAfee, Inc., McAfee Link Driver)
0xB94DD000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 311296 bytes (REDC, RICOH XD SM Driver)
0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA725B000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xA8FD7000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB92C7000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB94AE000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA738C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E05000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA7EE2000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9561000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA7FCF000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA7FF7000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA4578000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA9009000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB953D000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB948B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA7FAD000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA45BB000 C:\WINDOWS\system32\DRIVERS\btwdndis.sys 122880 bytes (Broadcom Corporation., Bluetooth LAN Access Server Driver)
0xB9DEB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA7C7D000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xA7C64000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA7E14000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EBF000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB93A8000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA7C96000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9ED6000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xA6AD5000 C:\WINDOWS\system32\drivers\mfeavfk.sys 86016 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xA792F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9529000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB9589000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8076000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xA45D9000 C:\WINDOWS\system32\drivers\mfeapfk.sys 69632 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9397000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA308000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xA6FFB000 C:\WINDOWS\System32\Drivers\btwusb.sys 65536 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xB9357000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA108000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA298000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA1F8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA168000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA2E8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA208000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA118000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xBA258000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBA238000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA138000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA188000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA318000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 53248 bytes (REDC, RICOH MS Driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA2A8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA198000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA228000 C:\WINDOWS\system32\DRIVERS\dc3d.sys 40960 bytes (Microsoft Corporation, Filter Driver for Identification of Microsoft Hardware Wireless Mouse and Keyboard Device Models)
0xBA2D8000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1D8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xA46AC000 C:\WINDOWS\system32\drivers\mfebopk.sys 36864 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA278000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA7BBC000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\point32.sys 36864 bytes (Microsoft Corporation, Point32k.sys)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB9387000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA268000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA438000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA468000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xA65C7000 C:\WINDOWS\system32\DRIVERS\btport.sys 28672 bytes (Broadcom Corporation., Bluetooth BTPORT Driver for Windows 2000)
0xBA440000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA400000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 28672 bytes (REDC, RICOH MMC Driver)
0xBA368000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA3E8000 C:\WINDOWS\system32\drivers\btserial.sys 24576 bytes (Broadcom Corporation., Bluetooth Serial Driver for Windows 2000)
0xBA410000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA450000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA458000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA380000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xBA460000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA420000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA428000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA418000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA4A8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB92A7000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA598000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA6ECB000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D54000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA7CB8000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA4C1E000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 16384 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xA7CE4000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xA7D3C000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xA811E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA57C000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA578000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA7344000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xB92AB000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D70000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA584000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA46A4000 C:\WINDOWS\system32\DRIVERS\sffdisk.sys 12288 bytes (Microsoft Corporation, Small Form Factor Disk Driver)
0xA4DE9000 C:\WINDOWS\system32\DRIVERS\sffp_sd.sys 12288 bytes (Microsoft Corporation, Small Form Factor SD Protocol Driver)
0xBA594000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA608000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA664000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA606000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA628000 C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS 8192 bytes
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA60A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA60C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5F0000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xBA5F2000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA66A000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA5EE000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA778000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA755000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6BE000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA7D8000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA7D7000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================
0xA464B6E8 Unknown thread object [ ETHREAD 0x89242820 ] , 600 bytes
0xA464B6E8 Unknown thread object [ ETHREAD 0x890F1928 ] , 600 bytes
0xA6AEA6E8 Unknown thread object [ ETHREAD 0x899C9DA8 ] , 600 bytes
0xA4BF56E8 Unknown thread object [ ETHREAD 0x8A78F910 ] , 600 bytes
0xA47536E8 Unknown thread object [ ETHREAD 0x8931B720 ] , 600 bytes
0xA46126E8 Unknown thread object [ ETHREAD 0x89276A80 ] , 600 bytes

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 AM

Posted 11 July 2011 - 07:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

DR

#3 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 13 July 2011 - 04:12 AM

Thanks Fiorentino,
OK, my computer seems to be slow, and I ran RKU to see if perhaps there was any suspicious rootkit activity. This WinXP SP3 Dell E1505 laptop is "on probation" in my mind, ever since a bad infection earlier this year was apparently cleared. I still don't trust it with doing financial work. With key strokes seeming to take more time than they should (type, and it sometimes takes a second or a few for the words to appear, etc.), I ran RKU and it found several 600 byte "unknown threads" and finished with a statement "possible rootkit activity!". That's why I'm asking for help in seeing if this computer is indeed still infected. I have not clicked on any suspicious email links or gone to any suspicious websites that I am aware of.

Here is the DDS scan

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_26
Run by Cabrillo College at 1:52:10 on 2011-07-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.922 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\CABRIL~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\CABRIL~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cabrillo.edu/~rnolthenius/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\cabril~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170703230359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.222.220
TCP: Interfaces\{B5F38913-1403-4EEB-B61A-13CC838352CE} : NameServer = 208.67.222.222,208.67.222.220
TCP: Interfaces\{B5F38913-1403-4EEB-B61A-13CC838352CE} : DhcpNameServer = 208.67.222.222 208.67.222.220
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cabrillo college\application data\mozilla\firefox\profiles\sdugaw7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://bigcharts.marketwatch.com/advchart/frames/frames.asp?symb=ndx&insttype=&time=7&freq=1
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-4-14 344712]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-10-22 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2011-4-14 99328]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-10-22 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-10-22 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-31 69192]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2011-5-24 44416]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-14 91896]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-14 43192]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
S2 sbigudrv;sbigudrv;c:\windows\system32\drivers\sbigudrv.sys [2008-3-15 12800]
S2 SBIGULDR;SBIG USB Loader (sbiguldr.sys);c:\windows\system32\drivers\sbiguldr.sys [2011-4-14 31232]
S2 SBIGUSBE;SBIG USB Driver (sbigusbe.sys);c:\windows\system32\drivers\sbigusbe.sys [2011-4-14 13824]
S3 FastLynx;FastLynx;c:\program files\fastlynx\FastLynx.sys [2002-12-27 2987]
S3 FXUSB;FastLynx USB 2.0 Bridge Cable Driver;c:\windows\system32\drivers\FxUsb.sys [2011-4-14 14080]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-14 66536]
.
=============== Created Last 30 ================
.
2011-07-11 04:02:14 480519 ----a-w- C:\tri.exe
2011-07-11 03:23:00 10 ----a-w- C:\Q.BAT
2011-07-03 06:37:11 696320 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-07-03 06:37:11 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-07-03 06:37:11 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-07-03 06:37:11 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-07-03 06:37:11 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-07-03 06:37:10 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-07-03 06:37:10 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-06-14 23:20:22 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-06-26 18:33:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-23 06:03:57 1409 ----a-w- c:\windows\QTFont.for
2011-05-04 11:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 09:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 1:52:44.71 ===============

and here is the GMER log (which my laptop took several hours of time in order to produce!)

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-13 01:45:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541612J9SA00 rev.SBDOC74P
Running: gmer.exe; Driver: C:\DOCUME~1\CABRIL~1\LOCALS~1\Temp\aglcipod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DB99A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9DB9940]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9DB9954]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DB99BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DB99E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9DB9A54]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9DB9A3E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9DB9A6A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DB9AFE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9DB9A96]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DB9992]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DB9904]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DB9918]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9DB9AD2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9DB9A28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9DB9A12]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DB99D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9DB9ABE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9DB9AAA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9DB997E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9DB996A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DB99FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DB9B2D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9DB9A80]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DB9B14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DB9AE8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DB9AEC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DB9B02 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DB9B18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DB9908 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DB991C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE8A 5 Bytes JMP B9DB996E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP B9DB9958 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1230 5 Bytes JMP B9DB9944 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D173A 5 Bytes JMP B9DB9982 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DB9B31 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80622314 7 Bytes JMP B9DB9A16 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DB9A00 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 8062298C 7 Bytes JMP B9DB9A84 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062323E 7 Bytes JMP B9DB9A2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DB99D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DB99AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DB99BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DB99EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8062493C 7 Bytes JMP B9DB9A58 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624BA6 7 Bytes JMP B9DB9A42 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DB9996 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80625810 7 Bytes JMP B9DB9AD6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625AD0 5 Bytes JMP B9DB9AAE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 80625F20 7 Bytes JMP B9DB9A6E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 806261C4 5 Bytes JMP B9DB9AC2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806262DE 5 Bytes JMP B9DB9A9A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !
? C:\DOCUME~1\CABRIL~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[836] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 012D0FEF
.text C:\WINDOWS\system32\services.exe[836] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 012D0014
.text C:\WINDOWS\system32\services.exe[836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012D0FDE
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012C0FE5
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012C0064
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012C0F6F
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012C0F8A
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012C0F9B
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012C003D
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012C0F43
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012C007F
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012C0F0D
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012C0F28
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012C0EFC
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012C0FB6
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012C0000
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012C0F54
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012C002C
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012C0011
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012C00A6
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012B0047
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012B0FC7
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012B002C
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012B0011
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012B0084
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012B0000
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 012B0073
.text C:\WINDOWS\system32\services.exe[836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012B0062
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012A0031
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!system 77C293C7 5 Bytes JMP 012A0FA6
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012A0FD2
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012A0000
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012A0FC1
.text C:\WINDOWS\system32\services.exe[836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012A0FE3
.text C:\WINDOWS\system32\services.exe[836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40F5C
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40F77
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40F94
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40051
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40087
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F4B
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E400A2
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40F09
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E40EEE
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40040
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FDE
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E40076
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E4002F
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E40014
.text C:\WINDOWS\system32\lsass.exe[848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F1A
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E30025
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E30F83
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E30F94
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E30040
.text C:\WINDOWS\system32\lsass.exe[848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E20FC0
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E2004B
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E20029
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E2000C
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E2003A
.text C:\WINDOWS\system32\lsass.exe[848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C40FDE
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C3006C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30F77
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30F94
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30051
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F35
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C3007D
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C300BA
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C300A9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C300D5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30FA5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C30F5C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30098
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C2006C
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20040
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20FAF
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C2005B
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10F9A
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10025
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10FC6
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10FAB
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F57
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F72
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F8D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FA8
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F7008E
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F46
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F35
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700C4
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700E9
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F7002F
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70071
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F700B3
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60036
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60062
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60FA5
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F60FC0
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 89]
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60051
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50044
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50029
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50018
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03060FEF
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03060014
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03060FDE
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03050FEF
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03050F68
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03050F83
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03050051
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03050F9E
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0305001B
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 030500A4
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03050089
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03050F2D
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 030500C6
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03050F12
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03050040
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03050FCA
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03050078
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0305000A
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03050FB9
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 030500B5
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0304002C
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03040098
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03040FE5
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0304001B
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0304007D
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0304000A
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03040062
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03040051
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0303004C
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 03030FB7
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0303001D
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03030000
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03030FD2
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03030FE3
.text C:\WINDOWS\System32\svchost.exe[1236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02E50000
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02E40FEF
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02E40FCA
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02E40FB9
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 02E4000A
.text C:\WINDOWS\system32\svchost.exe[1428] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1428] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F74
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F85
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0069
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0090
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F48
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F0B
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F1C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0EFA
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD003D
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F59
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F2D
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930FAC
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FC7
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093005F
.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093004E
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F89
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FA4
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC6
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB5
.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FD1
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00900FC0
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00810025
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00810014
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800080
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0080006F
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0080005E
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800FA1
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F5A
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008000AC
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800F2E
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008000BD
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008000E2
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800FB2
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800091
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0080002F
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00800F49
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0051
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F0F94
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007F0036
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FAF
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FB4
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E003F
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E001D
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E002E
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E000C
.text C:\WINDOWS\system32\svchost.exe[1508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00081
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F8C
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00070
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A0005F
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A0003D
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F67
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A000AF
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F2A
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F3B
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000E8
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A0004E
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00092
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A0002C
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F56
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0040
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F00A5
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F0076
.text C:\WINDOWS\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F005B
.text C:\WINDOWS\system32\svchost.exe[1540] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E007A
.text C:\WINDOWS\system32\svchost.exe[1540] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E005F
.text C:\WINDOWS\system32\svchost.exe[1540] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E003A
.text C:\WINDOWS\system32\svchost.exe[1540] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E000C
.text C:\WINDOWS\system32\svchost.exe[1540] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1540] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E001D
.text C:\WINDOWS\system32\svchost.exe[1540] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D000A
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0201000A
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02010FE5
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0201001B
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01700000
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01700F5A
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01700F6B
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01700F7C
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01700F97
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01700FB9
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01700F22
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0170006A
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017000B1
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017000A0
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017000C2
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01700FA8
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01700FEF
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01700F3F
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01700FCA
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0170001B
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0170008F
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 016F002C
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 016F0F9B
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 016F0FDB
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 016F001B
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 016F0058
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 016F0000
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 016F0FB6
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8F, 89]
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 016F0047
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016E0042
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 016E0FB7
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016E0FE3
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016E0000
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016E0FD2
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016E001D
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01570FE5
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01570FD4
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01570014
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 01570FC3
.text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016D0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01510FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01510FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01510FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0150000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01500F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01500FAC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01500FBD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0150007A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01500058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01500F6D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01500F7E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015000D0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01500F41
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01500F26
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01500069
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0150001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015000B5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01500047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0150002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01500F52
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014F0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014F0FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014F0025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014F0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014F0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014F0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 014F005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014F0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_wsystem 77C2931E 3 Bytes JMP 014E006E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_wsystem + 4 77C29322 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!system 77C293C7 3 Bytes JMP 014E0053
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!system + 4 77C293CB 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_creat 77C2D40F 3 Bytes JMP 014E0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_creat + 4 77C2D413 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014E0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_wcreat 77C2FC9B 3 Bytes JMP 014E0038
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_wcreat + 4 77C2FC9F 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014E0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014D0FEF
.text C:\WINDOWS\System32\svchost.exe[2788] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\System32\svchost.exe[2788] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\System32\svchost.exe[2788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B004F
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F5A
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F75
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F86
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0F97
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B007D
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F35
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0EFF
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F1A
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0EEE
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B001E
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0060
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCD
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0098
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A001B
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0065
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A004A
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0027
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F000C
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0FB7
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0FEF
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0FA6
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F0FD2
.text C:\WINDOWS\System32\svchost.exe[2788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[2904] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[2904] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\svchost.exe[2904] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10090
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C1007F
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10058
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C100C8
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F76
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100FE
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F5B
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10119
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FDB
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C100A1
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[2904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C100D9
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F72
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F8D
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C00FA8
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[2904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C0002F
.text C:\WINDOWS\system32\svchost.exe[2904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF005A
.text C:\WINDOWS\system32\svchost.exe[2904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0049
.text C:\WINDOWS\system32\svchost.exe[2904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF002E
.text C:\WINDOWS\system32\svchost.exe[2904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[2904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FD9
.text C:\WINDOWS\system32\svchost.exe[2904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF001D
.text C:\WINDOWS\system32\svchost.exe[2904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2948] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[2948] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[2948] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80086
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F91
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80075
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80058
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800C8
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B800AD
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800E3
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F4A
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800F4
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80FB6
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F80
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FD1
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80022
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F5B
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FD1
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F80
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70022
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70047
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70FC0
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60FA3
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FBE
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6002E
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\dllhost.exe[3152] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\system32\dllhost.exe[3152] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FEF
.text C:\WINDOWS\system32\dllhost.exe[3152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090025
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F61
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F7C
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B004A
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B001E
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B008E
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F46
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00BD
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F1A
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F09
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B002F
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0067
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\dllhost.exe[3152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F2B
.text C:\WINDOWS\system32\dllhost.exe[3152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0064
.text C:\WINDOWS\system32\dllhost.exe[3152] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0049
.text C:\WINDOWS\system32\dllhost.exe[3152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0038
.text C:\WINDOWS\system32\dllhost.exe[3152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[3152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FD9
.text C:\WINDOWS\system32\dllhost.exe[3152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F72
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F97
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0039
.text C:\WINDOWS\system32\dllhost.exe[3152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\system32\dllhost.exe[3152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\wuauclt.exe[5312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[5312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009001B
.text C:\WINDOWS\system32\wuauclt.exe[5312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C005B
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F66
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F83
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0040
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0F9E
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F24
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C006C
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0EE7
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0EF8
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C009B
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0025
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F41
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\wuauclt.exe[5312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F09
.text C:\WINDOWS\system32\wuauclt.exe[5312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0053
.text C:\WINDOWS\system32\wuauclt.exe[5312] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0042
.text C:\WINDOWS\system32\wuauclt.exe[5312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[5312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[5312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FC8
.text C:\WINDOWS\system32\wuauclt.exe[5312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0011
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0025
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0087
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C000A
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0051
.text C:\WINDOWS\system32\wuauclt.exe[5312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0036
.text C:\Program Files\Mozilla Firefox\firefox.exe[10476] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00140FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00140014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00140FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F48
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0026003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260022
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260F6F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260084
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260069
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F0D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600A6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600C1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260F8A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260095
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350F5E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0035001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0035000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360FBC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0036002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] WS2_32.dll!socket 71AB4211 3 Bytes JMP 00370000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[10940] WS2_32.dll!socket + 4 71AB4215 1 Byte [8E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[11300] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104089D7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:10 PM

Posted 14 July 2011 - 09:08 AM

Hi ricknorth,


I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box. Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop. If you have since resolved the original problem you were having, we would appreciate you letting us know.



I don't see any rootkit activity in your RKUnhooker log. Let's try again. :thumbup2:

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



In your next reply please include the following:


RKU report



Thanks!!

Edited by pwgib, 14 July 2011 - 09:37 AM.

PW

#5 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 15 July 2011 - 12:27 AM

Hello Forum Addict,
OK, did as instructed, showing hidden files etc. I should note that before I got your instructions, a couple days ago, I got a notification of an automatic update from MS and installed it, as I always do. Also, my computer seems to be a little faster. And finally, I removed and blocked spy cookie(s) I found, called ru4.com. So, my computer isn't quite in the same state as in the first RKU run.

I ran RKU and this time I don't see the 'unknown threads' that show in my first post, and no message 'possible rootkit activity!". Instead, it finished with "nothing detected :( " Not sure why that last summary line never shows up in the actual report opened in Notepad. Here's today's RKU report....

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9535000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1368064 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA8FC5000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xA8E72000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xB9357000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 835584 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xA8DC2000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9E32000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA8041000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xA7DE2000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB91D9000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA7FB5000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA7173000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB9D98000 mfehidk.sys 339968 bytes (McAfee, Inc., McAfee Link Driver)
0xB9475000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 311296 bytes (REDC, RICOH XD SM Driver)
0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA71F3000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xA8F6F000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB925F000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9446000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA7324000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E05000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA60E6000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA7E7A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB94F9000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA7F67000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA7F8F000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA8FA1000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB94D5000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9423000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA7F45000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA7DC4000 C:\WINDOWS\system32\DRIVERS\btwdndis.sys 122880 bytes (Broadcom Corporation., Bluetooth LAN Access Server Driver)
0xB9DEB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA7C3D000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xA7C24000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA7DAC000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EBF000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9340000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA7C56000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9ED6000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xA6A95000 C:\WINDOWS\system32\drivers\mfeavfk.sys 86016 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xA770F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB94C1000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB9521000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA800E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xA636C000 C:\WINDOWS\system32\drivers\mfeapfk.sys 69632 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB932F000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xBA2A8000 C:\WINDOWS\System32\Drivers\btwusb.sys 65536 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xB92BF000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA138000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA108000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA288000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA1E8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA168000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA258000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA118000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xBA228000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA318000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA308000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 53248 bytes (REDC, RICOH MS Driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA268000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA188000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA208000 C:\WINDOWS\system32\DRIVERS\dc3d.sys 40960 bytes (Microsoft Corporation, Filter Driver for Identification of Microsoft Hardware Wireless Mouse and Keyboard Device Models)
0xB930F000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1C8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xA6F0B000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA238000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xA66C4000 C:\WINDOWS\system32\drivers\mfebopk.sys 36864 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA248000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA298000 C:\WINDOWS\system32\DRIVERS\point32.sys 36864 bytes (Microsoft Corporation, Point32k.sys)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB92EF000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA278000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA420000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA458000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA488000 C:\WINDOWS\system32\DRIVERS\btport.sys 28672 bytes (Broadcom Corporation., Bluetooth BTPORT Driver for Windows 2000)
0xBA430000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 28672 bytes (REDC, RICOH MMC Driver)
0xBA438000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA388000 C:\WINDOWS\system32\drivers\btserial.sys 24576 bytes (Broadcom Corporation., Bluetooth Serial Driver for Windows 2000)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA440000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA448000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA468000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xBA450000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA400000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA410000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB969F000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA5A0000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB96A3000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA54C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA7B48000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA7E6E000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 16384 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xA7C74000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xA80DE000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xA80E2000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA598000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA580000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA708B000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xB923B000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D68000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA590000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA59C000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA60C000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5F6000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA60A000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5B6000 C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS 8192 bytes
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA60E000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA610000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5EE000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xBA5F0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA614000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA5EC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7DB000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA72B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA78B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA7A8000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA7A3000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================

#6 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:10 PM

Posted 15 July 2011 - 07:52 AM

Hi ricknorth,

So far I don't see anything that indicates rootkit activity but that doesn't mean something isn't there. We can run some more tools to make sure.

I don't see a System Restore Point in your logs. It is always good to have a restore point to fall back on as you should know from past experience. :P

Set a new restore point.
  • Turn System Restore off
  • On the Desktop, right click on the My Computer icon.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart

  • Turn System Restore on
  • On the Desktop, right click on the My Computer icon.
  • Click Properties.
  • Click the System Restore tab.
  • Uncheck *Turn off System Restore*.
  • Click Apply, and then click OK.
Note: only do this once, and not on a regular basis


I see you have CCleaner installed which I highly recommend but contains a registry cleaner.

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

Please do not use the Registry Cleaner option in CCleaner.



I also see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.


Step 1.

I would like to see an MBAM report.

Please rerun MBAM that appears to already be installed on your computer.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step 2.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



In your next reply please include the following:

MBAM log
TDSS log


Still no redirects/popups or other problems?


Thanks!!
PW

#7 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 15 July 2011 - 05:39 PM

Thank you,
OK, I did set system restore back on (should I turn it back off now??), and I deleted Viewpoint, and ran MBAM. It loaded the latest version and updated the definitions. And, it found trojan.banker hiding in a .exe file I created and ran a few days ago, in my root c:\ directory. This is the same file infected and same infection name as was found in my last fumigation earlier this year which I linked in my first post here. I have NOT clicked on any suspicious emails (it was a phoney nacha.org email link which lured me last time and started this sad saga) or visited any bad websites (that I know of). The infected file was one I created with my fortran compiler recently. I'm guessing that some deeper lurking infection chose this file to infect since it was a recently used .exe file; does this make sense? Infection today was quarantined successfully and TDSS found nothing.

Here are the logs.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7153

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

7/15/2011 3:00:39 PM
mbam-log-2011-07-15 (15-00-39).txt

Scan type: Quick scan
Objects scanned: 165303
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\tri.exe (Trojan.Banker) -> Quarantined and deleted successfully.




2011/07/15 15:19:25.0421 3476 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/15 15:19:25.0859 3476 ================================================================================
2011/07/15 15:19:25.0859 3476 SystemInfo:
2011/07/15 15:19:25.0859 3476
2011/07/15 15:19:25.0859 3476 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/15 15:19:25.0859 3476 Product type: Workstation
2011/07/15 15:19:25.0859 3476 ComputerName: RINOLTHE-NOTE
2011/07/15 15:19:25.0859 3476 UserName: Cabrillo College
2011/07/15 15:19:25.0859 3476 Windows directory: C:\WINDOWS
2011/07/15 15:19:25.0859 3476 System windows directory: C:\WINDOWS
2011/07/15 15:19:25.0859 3476 Processor architecture: Intel x86
2011/07/15 15:19:25.0859 3476 Number of processors: 2
2011/07/15 15:19:25.0859 3476 Page size: 0x1000
2011/07/15 15:19:25.0859 3476 Boot type: Normal boot
2011/07/15 15:19:25.0859 3476 ================================================================================
2011/07/15 15:19:27.0593 3476 Initialize success
2011/07/15 15:20:53.0953 3232 ================================================================================
2011/07/15 15:20:53.0953 3232 Scan started
2011/07/15 15:20:53.0953 3232 Mode: Manual;
2011/07/15 15:20:53.0953 3232 ================================================================================
2011/07/15 15:20:54.0265 3232 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/07/15 15:20:54.0312 3232 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/07/15 15:20:54.0500 3232 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/15 15:20:54.0546 3232 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/15 15:20:54.0593 3232 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/07/15 15:20:54.0875 3232 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/15 15:20:54.0953 3232 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/15 15:20:55.0281 3232 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/15 15:20:55.0625 3232 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/15 15:20:55.0671 3232 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/07/15 15:20:55.0703 3232 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/07/15 15:20:55.0859 3232 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/07/15 15:20:56.0125 3232 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/07/15 15:20:56.0265 3232 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/07/15 15:20:56.0421 3232 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/07/15 15:20:56.0453 3232 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/07/15 15:20:56.0625 3232 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/07/15 15:20:56.0781 3232 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/07/15 15:20:57.0031 3232 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/15 15:20:57.0156 3232 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/07/15 15:20:57.0265 3232 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/07/15 15:20:57.0343 3232 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/07/15 15:20:57.0484 3232 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/15 15:20:57.0531 3232 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/15 15:20:57.0703 3232 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/15 15:20:57.0750 3232 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/15 15:20:57.0796 3232 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/07/15 15:20:57.0859 3232 bcm4sbxp (6489310d11971f6ba6c7f49be0baf6e0) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/07/15 15:20:58.0140 3232 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/15 15:20:58.0171 3232 BTDriver (fde318e3569f57264af74b7e431f60ae) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/07/15 15:20:58.0250 3232 BTKRNL (9c3c8b9e2eda516eb44b51dab81dbd68) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/07/15 15:20:58.0500 3232 BTSERIAL (089f7526ff41c17b0a43896d0553d5a2) C:\WINDOWS\system32\drivers\btserial.sys
2011/07/15 15:20:58.0703 3232 BTWDNDIS (28531ab3183f498e58d93d585e6a6b70) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/07/15 15:20:58.0843 3232 BTWUSB (56c701580f2891952761362ba7594b3d) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/07/15 15:20:59.0078 3232 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/07/15 15:20:59.0281 3232 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/15 15:20:59.0375 3232 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/15 15:20:59.0406 3232 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/07/15 15:20:59.0531 3232 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/15 15:20:59.0593 3232 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/15 15:20:59.0640 3232 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/15 15:20:59.0812 3232 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/15 15:20:59.0859 3232 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/07/15 15:20:59.0890 3232 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/15 15:20:59.0937 3232 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/07/15 15:20:59.0984 3232 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/07/15 15:21:00.0031 3232 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/07/15 15:21:00.0312 3232 dc3d (484ffbcec4091ff617494b6b0cb04eb3) C:\WINDOWS\system32\DRIVERS\dc3d.sys
2011/07/15 15:21:00.0468 3232 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/15 15:21:00.0546 3232 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/15 15:21:00.0750 3232 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/15 15:21:00.0796 3232 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/15 15:21:00.0843 3232 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/15 15:21:00.0921 3232 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/07/15 15:21:00.0968 3232 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/15 15:21:01.0015 3232 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/07/15 15:21:01.0265 3232 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/07/15 15:21:01.0515 3232 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
2011/07/15 15:21:01.0625 3232 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/07/15 15:21:01.0921 3232 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/15 15:21:02.0000 3232 FastLynx (36a407aaf908e0353ae482e347e315d8) C:\Program Files\FastLynx\FastLynx.sys
2011/07/15 15:21:02.0171 3232 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/15 15:21:02.0218 3232 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/15 15:21:02.0390 3232 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/15 15:21:02.0468 3232 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/15 15:21:02.0500 3232 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/15 15:21:02.0531 3232 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/15 15:21:02.0578 3232 FXUSB (b98e1cc9cb4f8ad091dc378958577783) C:\WINDOWS\system32\Drivers\FxUsb.sys
2011/07/15 15:21:02.0734 3232 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/15 15:21:02.0890 3232 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/15 15:21:02.0968 3232 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/15 15:21:03.0031 3232 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/07/15 15:21:03.0203 3232 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/07/15 15:21:03.0484 3232 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/07/15 15:21:03.0796 3232 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/15 15:21:03.0859 3232 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/07/15 15:21:03.0906 3232 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/07/15 15:21:03.0953 3232 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/15 15:21:04.0093 3232 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/15 15:21:04.0406 3232 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/15 15:21:04.0453 3232 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/07/15 15:21:04.0593 3232 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/15 15:21:04.0656 3232 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/15 15:21:04.0687 3232 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/15 15:21:04.0828 3232 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/15 15:21:04.0875 3232 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/15 15:21:04.0921 3232 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/15 15:21:04.0953 3232 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/15 15:21:05.0000 3232 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/15 15:21:05.0046 3232 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/15 15:21:05.0234 3232 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/15 15:21:05.0265 3232 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/15 15:21:05.0296 3232 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/15 15:21:05.0359 3232 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/15 15:21:05.0453 3232 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/15 15:21:05.0765 3232 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/15 15:21:05.0812 3232 mfeapfk (a8d2c54c2f71f5cba7ca2734341e57e6) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/07/15 15:21:05.0953 3232 mfeavfk (28bb783d85df19e9e007e81daf40adcc) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/07/15 15:21:06.0093 3232 mfebopk (8e43e242073e9db5aa165ebe273ffd09) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/07/15 15:21:06.0390 3232 mfehidk (e94d35a2a9b175b34b995ab37216c73e) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/07/15 15:21:06.0562 3232 mferkdet (f68c9cda15114b360727fe622e4aec6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/07/15 15:21:06.0921 3232 mfetdik (78efa6fd2a486c476045eaa1d2f218b7) C:\WINDOWS\system32\drivers\mfetdik.sys
2011/07/15 15:21:07.0062 3232 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/07/15 15:21:07.0281 3232 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/15 15:21:07.0421 3232 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/15 15:21:07.0500 3232 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/15 15:21:07.0531 3232 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/15 15:21:07.0578 3232 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/15 15:21:07.0625 3232 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/07/15 15:21:07.0890 3232 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/15 15:21:07.0968 3232 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/15 15:21:08.0359 3232 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/07/15 15:21:08.0406 3232 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/15 15:21:08.0453 3232 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/15 15:21:08.0500 3232 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/15 15:21:08.0531 3232 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/15 15:21:08.0578 3232 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/15 15:21:08.0703 3232 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/15 15:21:08.0781 3232 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/15 15:21:08.0906 3232 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/15 15:21:09.0015 3232 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/15 15:21:09.0187 3232 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/15 15:21:09.0234 3232 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/15 15:21:09.0265 3232 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/15 15:21:09.0296 3232 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/15 15:21:09.0375 3232 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/15 15:21:09.0546 3232 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/15 15:21:09.0703 3232 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/15 15:21:09.0765 3232 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/15 15:21:09.0796 3232 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/15 15:21:09.0843 3232 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/15 15:21:10.0046 3232 NuidFltr (ef2b9a14ec5dd74ade3417faf1b45e16) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/07/15 15:21:10.0156 3232 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/15 15:21:10.0281 3232 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/15 15:21:10.0500 3232 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/15 15:21:10.0531 3232 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/15 15:21:10.0593 3232 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/15 15:21:10.0656 3232 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/07/15 15:21:10.0812 3232 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/15 15:21:10.0828 3232 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/15 15:21:10.0875 3232 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/15 15:21:11.0062 3232 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/15 15:21:11.0109 3232 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/15 15:21:11.0171 3232 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/15 15:21:11.0312 3232 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/07/15 15:21:11.0468 3232 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/07/15 15:21:11.0625 3232 Point32 (420336f91eb745811cf130c80ede0653) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/07/15 15:21:11.0796 3232 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/15 15:21:11.0828 3232 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/15 15:21:11.0859 3232 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/15 15:21:11.0921 3232 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/15 15:21:12.0062 3232 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/07/15 15:21:12.0109 3232 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/07/15 15:21:12.0265 3232 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/07/15 15:21:12.0312 3232 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/07/15 15:21:12.0406 3232 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/07/15 15:21:12.0453 3232 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/15 15:21:12.0625 3232 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/15 15:21:12.0765 3232 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/15 15:21:12.0796 3232 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/15 15:21:12.0859 3232 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/15 15:21:12.0890 3232 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/15 15:21:12.0953 3232 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/15 15:21:13.0125 3232 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/15 15:21:13.0171 3232 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/15 15:21:13.0250 3232 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/07/15 15:21:13.0468 3232 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/07/15 15:21:13.0875 3232 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/07/15 15:21:14.0156 3232 s24trans (2c0e9e777ab1849b43494626c1f308b5) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/07/15 15:21:14.0531 3232 sbigudrv (a066fe931e6213cb71c40eba3775cba3) C:\WINDOWS\SYSTEM32\DRIVERS\sbigudrv.sys
2011/07/15 15:21:14.0687 3232 SBIGULDR (9617cc50dfb1afb143a711637cff9830) C:\WINDOWS\system32\Drivers\sbiguldr.sys
2011/07/15 15:21:14.0796 3232 SBIGUSBE (7b3e98cbccad32079e79186671c47ef8) C:\WINDOWS\system32\Drivers\sbigusbe.sys
2011/07/15 15:21:15.0078 3232 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/07/15 15:21:15.0156 3232 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/15 15:21:15.0218 3232 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/15 15:21:15.0265 3232 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/15 15:21:15.0328 3232 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/07/15 15:21:15.0562 3232 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/07/15 15:21:15.0609 3232 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/15 15:21:15.0703 3232 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/07/15 15:21:15.0765 3232 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/15 15:21:15.0812 3232 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/07/15 15:21:15.0875 3232 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/15 15:21:16.0031 3232 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/15 15:21:16.0109 3232 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/15 15:21:16.0265 3232 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/07/15 15:21:16.0484 3232 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/07/15 15:21:16.0671 3232 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
2011/07/15 15:21:16.0937 3232 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/15 15:21:17.0000 3232 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/15 15:21:17.0078 3232 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/15 15:21:17.0140 3232 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/07/15 15:21:17.0296 3232 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/07/15 15:21:17.0531 3232 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/07/15 15:21:17.0578 3232 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/07/15 15:21:17.0765 3232 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/07/15 15:21:17.0953 3232 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/15 15:21:18.0156 3232 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/15 15:21:18.0203 3232 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/15 15:21:18.0234 3232 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/15 15:21:18.0296 3232 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/15 15:21:18.0375 3232 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/07/15 15:21:18.0515 3232 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/07/15 15:21:18.0656 3232 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/07/15 15:21:18.0796 3232 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
2011/07/15 15:21:18.0937 3232 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/07/15 15:21:19.0093 3232 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/07/15 15:21:19.0250 3232 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/07/15 15:21:19.0406 3232 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/07/15 15:21:19.0562 3232 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/07/15 15:21:19.0812 3232 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/07/15 15:21:19.0890 3232 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/15 15:21:19.0921 3232 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/07/15 15:21:20.0078 3232 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/15 15:21:20.0156 3232 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/15 15:21:20.0296 3232 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/15 15:21:20.0375 3232 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/15 15:21:20.0421 3232 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/15 15:21:20.0468 3232 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/15 15:21:20.0515 3232 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/15 15:21:20.0656 3232 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/07/15 15:21:20.0703 3232 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/07/15 15:21:20.0750 3232 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/15 15:21:20.0890 3232 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/07/15 15:21:21.0171 3232 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/15 15:21:21.0265 3232 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/07/15 15:21:21.0453 3232 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/15 15:21:21.0656 3232 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/07/15 15:21:21.0937 3232 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/07/15 15:21:22.0000 3232 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/15 15:21:22.0062 3232 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
2011/07/15 15:21:22.0078 3232 Boot (0x1200) (b426ab52bf8c789bd73a2adb22743484) \Device\Harddisk0\DR0\Partition0
2011/07/15 15:21:22.0078 3232 ================================================================================
2011/07/15 15:21:22.0078 3232 Scan finished
2011/07/15 15:21:22.0078 3232 ================================================================================
2011/07/15 15:21:22.0093 0900 Detected object count: 0
2011/07/15 15:21:22.0093 0900 Actual detected object count: 0
2011/07/15 15:24:19.0656 3088 ================================================================================
2011/07/15 15:24:19.0656 3088 Scan started
2011/07/15 15:24:19.0656 3088 Mode: Manual;
2011/07/15 15:24:19.0656 3088 ================================================================================
2011/07/15 15:24:19.0921 3088 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/07/15 15:24:19.0953 3088 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/07/15 15:24:20.0015 3088 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/15 15:24:20.0046 3088 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/15 15:24:20.0078 3088 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/07/15 15:24:20.0125 3088 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/15 15:24:20.0296 3088 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/15 15:24:20.0375 3088 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/15 15:24:20.0421 3088 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/15 15:24:20.0453 3088 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/07/15 15:24:20.0484 3088 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/07/15 15:24:20.0625 3088 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/07/15 15:24:20.0656 3088 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/07/15 15:24:20.0687 3088 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/07/15 15:24:20.0718 3088 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/07/15 15:24:20.0750 3088 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/07/15 15:24:20.0781 3088 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/07/15 15:24:20.0906 3088 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/07/15 15:24:20.0968 3088 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/15 15:24:21.0000 3088 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/07/15 15:24:21.0031 3088 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/07/15 15:24:21.0046 3088 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/07/15 15:24:21.0109 3088 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/15 15:24:21.0156 3088 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/15 15:24:21.0328 3088 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/15 15:24:21.0375 3088 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/15 15:24:21.0421 3088 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/07/15 15:24:21.0484 3088 bcm4sbxp (6489310d11971f6ba6c7f49be0baf6e0) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/07/15 15:24:21.0515 3088 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/15 15:24:21.0656 3088 BTDriver (fde318e3569f57264af74b7e431f60ae) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/07/15 15:24:21.0734 3088 BTKRNL (9c3c8b9e2eda516eb44b51dab81dbd68) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/07/15 15:24:21.0828 3088 BTSERIAL (089f7526ff41c17b0a43896d0553d5a2) C:\WINDOWS\system32\drivers\btserial.sys
2011/07/15 15:24:21.0875 3088 BTWDNDIS (28531ab3183f498e58d93d585e6a6b70) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/07/15 15:24:21.0890 3088 BTWUSB (56c701580f2891952761362ba7594b3d) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/07/15 15:24:21.0921 3088 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/07/15 15:24:22.0000 3088 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/15 15:24:22.0031 3088 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/15 15:24:22.0062 3088 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/07/15 15:24:22.0093 3088 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/15 15:24:22.0281 3088 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/15 15:24:22.0312 3088 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/15 15:24:22.0375 3088 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/15 15:24:22.0406 3088 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/07/15 15:24:22.0437 3088 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/15 15:24:22.0484 3088 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/07/15 15:24:22.0515 3088 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/07/15 15:24:22.0671 3088 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/07/15 15:24:22.0718 3088 dc3d (484ffbcec4091ff617494b6b0cb04eb3) C:\WINDOWS\system32\DRIVERS\dc3d.sys
2011/07/15 15:24:22.0765 3088 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/15 15:24:22.0828 3088 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/15 15:24:22.0984 3088 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/15 15:24:23.0015 3088 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/15 15:24:23.0046 3088 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/15 15:24:23.0093 3088 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/07/15 15:24:23.0140 3088 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/15 15:24:23.0203 3088 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/07/15 15:24:23.0218 3088 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/07/15 15:24:23.0375 3088 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
2011/07/15 15:24:23.0515 3088 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/07/15 15:24:23.0609 3088 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/15 15:24:23.0640 3088 FastLynx (36a407aaf908e0353ae482e347e315d8) C:\Program Files\FastLynx\FastLynx.sys
2011/07/15 15:24:23.0687 3088 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/15 15:24:23.0734 3088 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/15 15:24:23.0765 3088 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/15 15:24:23.0906 3088 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/15 15:24:23.0953 3088 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/15 15:24:23.0968 3088 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/15 15:24:24.0015 3088 FXUSB (b98e1cc9cb4f8ad091dc378958577783) C:\WINDOWS\system32\Drivers\FxUsb.sys
2011/07/15 15:24:24.0062 3088 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/15 15:24:24.0140 3088 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/15 15:24:24.0343 3088 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/15 15:24:24.0390 3088 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/07/15 15:24:24.0453 3088 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/07/15 15:24:24.0515 3088 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/07/15 15:24:24.0703 3088 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/15 15:24:24.0750 3088 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/07/15 15:24:24.0781 3088 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/07/15 15:24:24.0812 3088 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/15 15:24:24.0937 3088 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/15 15:24:25.0140 3088 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/15 15:24:25.0421 3088 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/07/15 15:24:25.0593 3088 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/15 15:24:25.0640 3088 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/15 15:24:25.0671 3088 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/15 15:24:25.0687 3088 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/15 15:24:25.0875 3088 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/15 15:24:25.0921 3088 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/15 15:24:25.0953 3088 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/15 15:24:25.0984 3088 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/15 15:24:26.0031 3088 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/15 15:24:26.0062 3088 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/15 15:24:26.0218 3088 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/15 15:24:26.0250 3088 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/15 15:24:26.0296 3088 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/15 15:24:26.0390 3088 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/15 15:24:26.0468 3088 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/15 15:24:26.0500 3088 mfeapfk (a8d2c54c2f71f5cba7ca2734341e57e6) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/07/15 15:24:26.0640 3088 mfeavfk (28bb783d85df19e9e007e81daf40adcc) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/07/15 15:24:26.0687 3088 mfebopk (8e43e242073e9db5aa165ebe273ffd09) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/07/15 15:24:26.0734 3088 mfehidk (e94d35a2a9b175b34b995ab37216c73e) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/07/15 15:24:26.0781 3088 mferkdet (f68c9cda15114b360727fe622e4aec6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/07/15 15:24:27.0000 3088 mfetdik (78efa6fd2a486c476045eaa1d2f218b7) C:\WINDOWS\system32\drivers\mfetdik.sys
2011/07/15 15:24:27.0046 3088 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/07/15 15:24:27.0078 3088 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/15 15:24:27.0171 3088 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/15 15:24:27.0218 3088 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/15 15:24:27.0250 3088 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/15 15:24:27.0406 3088 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/15 15:24:27.0437 3088 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/07/15 15:24:27.0484 3088 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/15 15:24:27.0562 3088 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/15 15:24:27.0765 3088 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/07/15 15:24:27.0812 3088 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/15 15:24:27.0859 3088 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/15 15:24:27.0890 3088 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/15 15:24:27.0906 3088 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/15 15:24:27.0953 3088 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/15 15:24:28.0125 3088 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/15 15:24:28.0187 3088 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/15 15:24:28.0234 3088 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/15 15:24:28.0296 3088 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/15 15:24:28.0328 3088 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/15 15:24:28.0453 3088 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/15 15:24:28.0515 3088 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/15 15:24:28.0531 3088 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/15 15:24:28.0593 3088 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/15 15:24:28.0625 3088 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/15 15:24:28.0671 3088 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/15 15:24:28.0734 3088 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/15 15:24:28.0875 3088 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/15 15:24:28.0906 3088 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/15 15:24:29.0140 3088 NuidFltr (ef2b9a14ec5dd74ade3417faf1b45e16) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/07/15 15:24:29.0328 3088 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/15 15:24:29.0468 3088 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/15 15:24:29.0640 3088 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/15 15:24:29.0656 3088 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/15 15:24:29.0703 3088 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/15 15:24:29.0781 3088 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/07/15 15:24:29.0828 3088 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/15 15:24:29.0859 3088 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/15 15:24:29.0890 3088 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/15 15:24:29.0921 3088 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/15 15:24:30.0109 3088 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/15 15:24:30.0140 3088 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/15 15:24:30.0250 3088 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/07/15 15:24:30.0281 3088 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/07/15 15:24:30.0328 3088 Point32 (420336f91eb745811cf130c80ede0653) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/07/15 15:24:30.0468 3088 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/15 15:24:30.0500 3088 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/15 15:24:30.0515 3088 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/15 15:24:30.0562 3088 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/15 15:24:30.0593 3088 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/07/15 15:24:30.0625 3088 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/07/15 15:24:30.0640 3088 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/07/15 15:24:30.0671 3088 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/07/15 15:24:30.0812 3088 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/07/15 15:24:30.0843 3088 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/15 15:24:30.0906 3088 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/15 15:24:30.0937 3088 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/15 15:24:30.0968 3088 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/15 15:24:31.0000 3088 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/15 15:24:31.0031 3088 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/15 15:24:31.0062 3088 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/15 15:24:31.0109 3088 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/15 15:24:31.0234 3088 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/15 15:24:31.0312 3088 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/07/15 15:24:31.0328 3088 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/07/15 15:24:31.0359 3088 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/07/15 15:24:31.0437 3088 s24trans (2c0e9e777ab1849b43494626c1f308b5) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/07/15 15:24:31.0500 3088 sbigudrv (a066fe931e6213cb71c40eba3775cba3) C:\WINDOWS\SYSTEM32\DRIVERS\sbigudrv.sys
2011/07/15 15:24:31.0531 3088 SBIGULDR (9617cc50dfb1afb143a711637cff9830) C:\WINDOWS\system32\Drivers\sbiguldr.sys
2011/07/15 15:24:31.0546 3088 SBIGUSBE (7b3e98cbccad32079e79186671c47ef8) C:\WINDOWS\system32\Drivers\sbigusbe.sys
2011/07/15 15:24:31.0625 3088 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/07/15 15:24:31.0796 3088 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/15 15:24:31.0843 3088 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/15 15:24:31.0890 3088 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/15 15:24:31.0937 3088 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/07/15 15:24:31.0953 3088 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/07/15 15:24:31.0984 3088 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/15 15:24:32.0078 3088 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/07/15 15:24:32.0250 3088 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/15 15:24:32.0296 3088 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/07/15 15:24:32.0343 3088 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/15 15:24:32.0406 3088 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/15 15:24:32.0484 3088 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/15 15:24:32.0593 3088 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/07/15 15:24:32.0625 3088 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/07/15 15:24:32.0734 3088 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
2011/07/15 15:24:32.0921 3088 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/15 15:24:32.0968 3088 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/15 15:24:33.0031 3088 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/15 15:24:33.0093 3088 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/07/15 15:24:33.0125 3088 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/07/15 15:24:33.0156 3088 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/07/15 15:24:33.0312 3088 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/07/15 15:24:33.0390 3088 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/07/15 15:24:33.0453 3088 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/15 15:24:33.0546 3088 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/15 15:24:33.0578 3088 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/15 15:24:33.0750 3088 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/15 15:24:33.0781 3088 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/15 15:24:33.0859 3088 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/07/15 15:24:33.0875 3088 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/07/15 15:24:33.0906 3088 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/07/15 15:24:33.0937 3088 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
2011/07/15 15:24:33.0968 3088 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/07/15 15:24:33.0984 3088 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/07/15 15:24:34.0015 3088 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/07/15 15:24:34.0031 3088 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/07/15 15:24:34.0062 3088 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/07/15 15:24:34.0109 3088 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/07/15 15:24:34.0281 3088 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/15 15:24:34.0312 3088 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/07/15 15:24:34.0390 3088 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/15 15:24:34.0453 3088 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/15 15:24:34.0484 3088 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/15 15:24:34.0625 3088 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/15 15:24:34.0656 3088 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/15 15:24:34.0703 3088 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/15 15:24:34.0734 3088 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/15 15:24:34.0796 3088 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/07/15 15:24:34.0828 3088 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/07/15 15:24:35.0015 3088 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/15 15:24:35.0156 3088 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/07/15 15:24:35.0343 3088 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/15 15:24:35.0437 3088 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/07/15 15:24:35.0500 3088 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/15 15:24:35.0593 3088 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/07/15 15:24:35.0828 3088 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/07/15 15:24:35.0921 3088 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/15 15:24:36.0000 3088 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
2011/07/15 15:24:36.0015 3088 Boot (0x1200) (b426ab52bf8c789bd73a2adb22743484) \Device\Harddisk0\DR0\Partition0
2011/07/15 15:24:36.0031 3088 ================================================================================
2011/07/15 15:24:36.0031 3088 Scan finished
2011/07/15 15:24:36.0031 3088 ================================================================================
2011/07/15 15:24:36.0062 2732 Detected object count: 0
2011/07/15 15:24:36.0062 2732 Actual detected object count: 0
2011/07/15 15:24:43.0406 3600 Deinitialize success

#8 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:10 PM

Posted 16 July 2011 - 04:26 AM

Hi ricknorth,


I did set system restore back on (should I turn it back off now??),

You should leave System Restore on and only turn off to clear restore points.

And, it found trojan.banker hiding in a .exe file I created and ran a few days ago

Could you elaborate. I find it unusual that you created a file that contained a trojan. Where did you get the contents of the file? It may be there is some code you compiled that MBAM hit on.


Step 1.

Let's get another opinion.

Open MBAM and go to the Quarantine tab. Click on the file c:\tri.exe then the Restore button. Once the file tri.exe is restored DO NOT open it or restart your computer before it is quarantined again in case there is a loading point present.

  • Click on this link--> virustotal
  • Click the browse button. Copy and paste the following lines in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

c:\tri.exe


If the file has been analyzed before, click the Reanalyse File Now button.

Please copy and paste the results of the scan in your next post.

Now, scan with MBAM again and and allow the file to be quarantined.


Step 2.


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to Disable your Security Applications


    Note - If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.


Step 3.

We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



In your next reply please include the following:


VirusTotal results
New MBAM scan log
ComboFix.txt
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized



Thanks!!
PW

#9 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:10 PM

Posted 19 July 2011 - 07:01 AM

Hi ricknorth,


Still with me?
PW

#10 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 19 July 2011 - 12:48 PM

PW,
Yes, I'm here. I'm an astronomer and had an observing trip yesterday and just woke up (10:45am here in California).

On the tri.exe trojan. I have Lahey Fortran 95 installed. I write my own Fortran programs using a plain text editor and am sure there was nothing in what I personally wrote which contained any malware. tri.exe is a small, simple program only a few dozen source lines long. I write code, compile it into a .exe file. Because I use this tri.exe in the root directory (which is otherwise pretty empty of .exe's), I suspect that this was targeted by malware existing elsewhere as a good place to put it's code. Isn't it true that malware can take an existing .exe and glom onto it it's bad code?

I will do the scans you suggest and post again later today.

#11 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 19 July 2011 - 03:41 PM

OK, de-quarantined the bad tri.exe, ran the virus total program, then re-quarantined. Darn now if I can find the output, which I was sure I saved! I'm sleep deprived, sorry. But it said that it had no previous records or information on this virus. To be clear, I wrote tri.for, a program for compiling my triathlon race training mileages, and tri.exe is the compiled program. On the chance that virus total was looking at the name, it's not surprising it didn't find it in past reports.

Here's the MBAM log, which was generated after I updated MBAM's detection...


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7204

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

7/19/2011 11:46:16 AM
mbam-log-2011-07-19 (11-46-16).txt

Scan type: Quick scan
Objects scanned: 166244
Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\tri.exe (Trojan.Banker) -> Quarantined and deleted successfully.
------------------------------------------------------------------------------------------------------------------------------------

ComboFix 11-07-19.03 - Cabrillo College 07/19/2011 12:04:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1483 [GMT -7:00]
Running from: c:\documents and settings\Cabrillo College\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt
c:\documents and settings\Cabrillo College\Application Data\Microsoft\Internet Explorer\Desktop.htt
c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
.
.
((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
.
.
2011-07-15 22:42 . 2011-07-15 22:42 461779 ----a-w- C:\mystery.exe
2011-07-11 03:23 . 2011-07-11 03:23 10 ----a-w- C:\Q.BAT
2011-07-03 06:37 . 2003-02-27 23:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-07-03 06:37 . 2002-12-05 21:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-07-03 06:37 . 2002-12-02 22:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-07-03 06:37 . 2002-12-02 20:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-07-03 06:37 . 2002-12-02 20:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-07-03 06:37 . 2011-07-03 06:37 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-07-03 06:37 . 2011-07-03 06:37 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-06-27 03:09 . 2011-06-27 03:09 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 02:52 . 2011-04-14 08:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-04-01 20:46 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-26 18:33 . 2011-05-25 07:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2005-08-16 10:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-23 06:03 . 2011-05-23 06:03 1409 ----a-w- c:\windows\QTFont.for
2011-05-04 11:52 . 2010-12-02 22:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 09:25 . 2011-05-02 22:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2005-08-16 10:18 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2005-08-16 10:18 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2005-08-16 10:18 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2005-08-16 10:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-25 15:51 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2005-08-16 10:18 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2011-04-14 08:47 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2010-10-23 04:07 . 2011-02-01 01:30 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-26 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-23 124224]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Cabrillo College\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-17 24576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [10/22/2010 9:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/31/2011 6:30 PM 69192]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [5/24/2011 2:03 PM 44416]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 10:32 PM 136176]
S2 sbigudrv;sbigudrv;c:\windows\system32\drivers\sbigudrv.sys [3/15/2008 12:47 AM 12800]
S2 SBIGULDR;SBIG USB Loader (sbiguldr.sys);c:\windows\system32\drivers\sbiguldr.sys [4/14/2011 1:48 AM 31232]
S2 SBIGUSBE;SBIG USB Driver (sbigusbe.sys);c:\windows\system32\drivers\sbigusbe.sys [4/14/2011 1:48 AM 13824]
S3 FastLynx;FastLynx;c:\program files\FastLynx\FastLynx.sys [12/27/2002 3:06 PM 2987]
S3 FXUSB;FastLynx USB 2.0 Bridge Cable Driver;c:\windows\system32\drivers\FxUsb.sys [4/14/2011 1:48 AM 14080]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 10:32 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/14/2011 1:48 AM 41272]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/14/2011 1:48 AM 66536]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-30 05:32]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-30 05:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cabrillo.edu/~rnolthenius/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 208.67.222.222 208.67.222.220
TCP: Interfaces\{B5F38913-1403-4EEB-B61A-13CC838352CE}: NameServer = 208.67.222.222,208.67.222.220
FF - ProfilePath - c:\documents and settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://bigcharts.marketwatch.com/advchart/frames/frames.asp?symb=ndx&insttype=&time=7&freq=1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-19 12:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-19 12:11:32
ComboFix-quarantined-files.txt 2011-07-19 19:11
.
Pre-Run: 83,635,298,304 bytes free
Post-Run: 84,385,726,464 bytes free
.
- - End Of File - - 90A5ADC59A4E1A56630B9B5B5F658177






OTL logfile created on: 7/19/2011 12:19:04 PM - Run 2
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Cabrillo College\Desktop\bugs
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.09% Memory free
3.84 Gb Paging File | 3.46 Gb Available in Paging File | 90.07% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 105.09 Gb Total Space | 78.62 Gb Free Space | 74.81% Space Free | Partition Type: NTFS

Computer Name: RINOLTHE-NOTE | User Name: Cabrillo College | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/19 12:15:11 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cabrillo College\Desktop\bugs\OTL.exe
PRC - [2011/06/27 20:35:10 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/22 21:07:00 | 000,147,984 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2010/10/22 21:07:00 | 000,124,224 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2010/10/22 21:07:00 | 000,069,192 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/10/22 21:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2010/10/22 21:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2010/10/22 21:07:00 | 000,022,816 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2009/08/25 17:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/08/25 17:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/08/25 17:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/08/25 17:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/22 14:32:18 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2006/08/03 17:51:42 | 001,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/05/01 08:34:00 | 000,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2006/05/01 08:28:26 | 000,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2006/05/01 08:28:06 | 000,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2006/03/24 15:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (SafeList) ==========

MOD - [2011/07/19 12:15:11 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cabrillo College\Desktop\bugs\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/10/22 21:07:00 | 000,147,984 | ---- | M] (McAfee, Inc.) [Auto | Paused] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2010/10/22 21:07:00 | 000,069,192 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/22 21:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2010/10/22 21:07:00 | 000,022,816 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2009/08/25 17:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2006/05/01 08:34:00 | 000,262,217 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®


========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/01/07 15:56:12 | 000,044,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dc3d.sys -- (dc3d)
DRV - [2010/10/22 21:07:00 | 000,344,712 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/22 21:07:00 | 000,091,896 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/22 21:07:00 | 000,076,024 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/22 21:07:00 | 000,066,536 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/22 21:07:00 | 000,064,208 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2010/10/22 21:07:00 | 000,043,192 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/02/17 10:52:48 | 000,012,800 | ---- | M] (Santa Barbara Instrument Group) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\sbigudrv.sys -- (sbigudrv)
DRV - [2008/01/23 17:35:48 | 000,031,232 | ---- | M] (Santa Barbara Instrument Group) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\sbiguldr.sys -- (SBIGULDR) SBIG USB Loader (sbiguldr.sys)
DRV - [2006/08/24 23:23:08 | 000,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/05/24 17:05:26 | 000,023,271 | ---- | M] (Broadcom Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL)
DRV - [2006/05/24 17:04:04 | 000,851,434 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/05/24 17:01:34 | 000,030,427 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/05/24 17:00:50 | 000,066,488 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/05/24 16:58:18 | 000,148,900 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2006/05/01 08:52:02 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/04/26 15:13:04 | 001,429,632 | ---- | M] (Intel« Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2006/03/24 15:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/10 10:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/10/14 07:40:18 | 000,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/10/14 07:40:18 | 000,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/10/14 07:40:18 | 000,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/08/12 16:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/21 19:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/21 19:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/21 19:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/02/13 08:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2003/09/05 10:11:44 | 000,013,824 | ---- | M] (SBIG) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\sbigusbe.sys -- (SBIGUSBE) SBIG USB Driver (sbigusbe.sys)
DRV - [2003/08/21 15:55:06 | 000,014,080 | ---- | M] (Sewell Development Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FxUsb.sys -- (FXUSB)
DRV - [2002/10/07 12:40:37 | 000,002,987 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\FastLynx\FastLynx.sys -- (FastLynx)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070117
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070117


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070117
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070117
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.cabrillo.edu/~rnolthenius/
IE - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://bigcharts.marketwatch.com/advchart/frames/frames.asp?symb=ndx&insttype=&time=7&freq=1"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.9
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.1.2
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2
FF - prefs.js..extensions.enabledItems: {563e4790-7e70-11da-a72b-0800200c9a66}:0.9e
FF - prefs.js..extensions.enabledItems: {ada4b710-8346-4b82-8199-5de2b400a6ae}:1.9.9.3.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/27 20:35:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/27 20:35:14 | 000,000,000 | ---D | M]

[2010/01/11 09:33:57 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cabrillo College\Application Data\Mozilla\Extensions
[2011/07/05 21:24:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\extensions
[2011/01/01 14:32:09 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2011/07/04 12:59:05 | 000,000,000 | ---D | M] (Vypr├ízdnit vyrovn├ívac├ş pam─Ť┼ą) -- C:\Documents and Settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
[2011/07/05 21:19:05 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/04/05 20:26:51 | 000,000,000 | ---D | M] (ReminderFox) -- C:\Documents and Settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
[2011/07/04 12:59:08 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/07/05 21:24:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/02 15:55:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/01 14:26:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/05/02 15:08:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
[2011/06/26 20:09:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/05/02 15:07:45 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/12/06 18:59:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2010/10/22 21:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/07/19 12:09:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O3 - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKU\S-1-5-21-2092748523-170061809-1828599516-1006..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - Startup: C:\Documents and Settings\Cabrillo College\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2092748523-170061809-1828599516-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170703230359 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Cabrillo College\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Cabrillo College\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 03:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/19 12:02:49 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/07/19 12:02:49 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/07/19 12:02:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/07/19 12:02:49 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/07/19 12:01:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/07/19 11:56:38 | 004,159,135 | R--- | C] (Swearware) -- C:\Documents and Settings\Cabrillo College\Desktop\ComboFix.exe
[2011/07/15 15:18:05 | 001,436,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Cabrillo College\Desktop\tdsskiller.exe
[2011/07/15 14:45:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware
[2011/07/12 21:25:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Cabrillo College\Start Menu\Programs\Administrative Tools
[2011/06/26 20:09:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/26 20:09:07 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/26 20:09:07 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/26 20:09:07 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/19 12:09:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/07/19 11:56:39 | 004,159,135 | R--- | M] (Swearware) -- C:\Documents and Settings\Cabrillo College\Desktop\ComboFix.exe
[2011/07/19 11:50:08 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/19 11:50:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/19 11:50:03 | 2137,456,640 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/19 11:48:00 | 000,000,906 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/17 21:52:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/15 15:42:43 | 000,461,779 | ---- | M] () -- C:\mystery.exe
[2011/07/15 15:42:42 | 000,001,197 | ---- | M] () -- C:\mystery.obj
[2011/07/15 15:42:39 | 000,000,257 | ---- | M] () -- C:\MYSTERY.FOR
[2011/07/15 15:18:05 | 001,436,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Cabrillo College\Desktop\tdsskiller.exe
[2011/07/15 14:45:56 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/13 20:51:54 | 000,013,540 | ---- | M] () -- C:\TRI.DAT
[2011/07/13 20:30:35 | 000,278,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/13 20:23:17 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/10 21:13:02 | 000,013,473 | ---- | M] () -- C:\TRI.BAK
[2011/07/10 21:06:12 | 000,004,761 | ---- | M] () -- C:\tri.obj
[2011/07/10 21:06:09 | 000,001,308 | ---- | M] () -- C:\TRI.FOR
[2011/07/10 20:23:49 | 000,000,010 | ---- | M] () -- C:\Q.BAT
[2011/07/10 20:23:13 | 000,000,007 | ---- | M] () -- C:\Q.BAK
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/06/26 11:33:48 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/25 23:45:56 | 000,256,000 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2011/06/19 23:48:02 | 000,010,816 | ---- | M] () -- C:\Documents and Settings\Cabrillo College\My Documents\cc_20110619_234756.reg
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/19 12:02:49 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/07/19 12:02:49 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/07/19 12:02:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/07/19 12:02:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/07/19 12:02:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/07/15 15:42:43 | 000,461,779 | ---- | C] () -- C:\mystery.exe
[2011/07/15 15:42:42 | 000,001,197 | ---- | C] () -- C:\mystery.obj
[2011/07/15 15:42:39 | 000,000,257 | ---- | C] () -- C:\MYSTERY.FOR
[2011/07/15 14:45:56 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/10 20:23:00 | 000,000,010 | ---- | C] () -- C:\Q.BAT
[2011/07/10 20:23:00 | 000,000,007 | ---- | C] () -- C:\Q.BAK
[2011/06/28 20:19:18 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/06/19 23:47:58 | 000,010,816 | ---- | C] () -- C:\Documents and Settings\Cabrillo College\My Documents\cc_20110619_234756.reg
[2011/02/26 15:55:14 | 000,000,190 | ---- | C] () -- C:\WINDOWS\MRU.ini
[2008/11/26 20:00:00 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Cabrillo College\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/18 22:45:42 | 000,001,172 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/02/05 15:48:15 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Cabrillo College\Application Data\wklnhst.dat
[2007/02/05 11:45:26 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/02/05 11:45:26 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\58FB2E1142.sys
[2007/02/05 10:53:37 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/02/02 12:15:58 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2007/02/02 11:57:32 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Cabrillo College\Local Settings\Application Data\fusioncache.dat
[2007/01/17 12:55:07 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/01/17 12:43:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/17 12:34:19 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/01/17 12:33:01 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/01/17 12:00:26 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2007/01/17 12:00:20 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/01/17 11:58:58 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/05/24 17:16:22 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/08/16 03:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 03:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 03:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 03:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 03:27:59 | 000,278,152 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 03:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 03:18:33 | 000,461,286 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 03:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 03:18:33 | 000,080,308 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 03:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 03:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 03:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 03:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 03:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 03:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 03:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 03:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 13:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/09 09:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

< End of report >
------------------------------------------------------------------------------------------------------------------------

and the extra report from OTL...

------------------------------------------------------------------------------------------------------------------------
OTL Extras logfile created on: 7/19/2011 12:17:08 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Cabrillo College\Desktop\bugs
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.50% Memory free
3.84 Gb Paging File | 3.47 Gb Available in Paging File | 90.34% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 105.09 Gb Total Space | 78.62 Gb Free Space | 74.81% Space Free | Partition Type: NTFS

Computer Name: RINOLTHE-NOTE | User Name: Cabrillo College | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Dell\MediaDirect\PCMService.exe" = C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX -- (Macromedia, Inc.)
"C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe:*:Enabled:Dreamweaver 8 -- (Macromedia, Inc.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{1794C35F-836A-4E0D-8FDB-6DE0D143088E}_is1" = SBIG Driver Checker
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java™ 6 Update 26
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Management Programs
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = WIDCOMM Bluetooth Software
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{541FA058-2E3A-41DD-8119-A19839D9C0CC}" = Occult 4
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{5CBD32AC-4778-4305-8DAC-A43699A44914}_is1" = CCDOps5
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{62C8CA58-FA17-45F3-AE58-0C1A40F66FE5}" = Occult Watcher
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7C49EA42-5647-4051-84C2-E6404F25A931}" = Yahoo! Music Jukebox
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA951B10-7089-4D60-B288-516E641F48E6}" = McAfee Agent
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD232781-26CA-4E18-BC70-4343A2F0D583}" = Microsoft IntelliPoint 8.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{E43ED9E3-904C-4F9D-A710-9FE0A60C279F}" = Tangra
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"C2A for Windows_is1" = C2A for Windows Version 2.0.25
"C2A_is1" = C2A
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"CUZ4_is1" = CAM UnZip 4.5
"Dell Game Console" = Dell Game Console
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESET Online Scanner" = ESET Online Scanner v3
"ESPNMotion" = ESPNMotion
"FastLynx 3.0" = FastLynx 3.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.18)" = Mozilla Firefox (3.6.18)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"ProInst" = Intel® PROSet/Wireless Software
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"SearchAssist" = SearchAssist
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"thinkorswim from TD AMERITRADE" = thinkorswim from TD AMERITRADE
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"RegiStax 5.1" = RegiStax 5.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/15/2011 6:18:43 PM | Computer Name = RINOLTHE-NOTE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

[ System Events ]
Error - 7/18/2011 12:52:34 AM | Computer Name = RINOLTHE-NOTE | Source = Service Control Manager | ID = 7000
Description = The SBIG USB Driver (sbigusbe.sys) service failed to start due to
the following error: %%1058

Error - 7/18/2011 12:52:34 AM | Computer Name = RINOLTHE-NOTE | Source = Service Control Manager | ID = 7000
Description = The sbigudrv service failed to start due to the following error: %%20

Error - 7/19/2011 1:39:58 PM | Computer Name = RINOLTHE-NOTE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/19/2011 1:39:58 PM | Computer Name = RINOLTHE-NOTE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/19/2011 1:39:58 PM | Computer Name = RINOLTHE-NOTE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/19/2011 1:39:58 PM | Computer Name = RINOLTHE-NOTE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/19/2011 2:50:09 PM | Computer Name = RINOLTHE-NOTE | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 7/19/2011 2:50:25 PM | Computer Name = RINOLTHE-NOTE | Source = Service Control Manager | ID = 7000
Description = The SBIG USB Loader (sbiguldr.sys) service failed to start due to
the following error: %%1058

Error - 7/19/2011 2:50:25 PM | Computer Name = RINOLTHE-NOTE | Source = Service Control Manager | ID = 7000
Description = The SBIG USB Driver (sbigusbe.sys) service failed to start due to
the following error: %%1058

Error - 7/19/2011 2:50:25 PM | Computer Name = RINOLTHE-NOTE | Source = Service Control Manager | ID = 7000
Description = The sbigudrv service failed to start due to the following error: %%20


< End of report >

#12 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:10 PM

Posted 20 July 2011 - 10:27 AM

Hi ricknorth,

But it said that it had no previous records or information on this virus.

I'm confused. :blink:

When you submitted the file at VirusTotal it should have been scanned by a number of different antivirus products. What I needed to know is if any of them reported the file as being infected.

Did the report say it had no previous information on this virus or did the report say it had no previous information on this file?

Let's try again.

Please follow my previous instructions to dequarantine the file tri.exe

Please follow this link then follow the instructions to submit the file.


Thanks!!

Edited by pwgib, 20 July 2011 - 10:28 AM.

PW

#13 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 20 July 2011 - 04:40 PM

OK. Perhaps I did something wrong last time. This time, it said it had analyzed it once before (mine, I believe), and I then clicked 'reanalyse' and it took a minute or so to run through 43 different antivirus programs and post the results. I highlighted that page and paste it here...

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
tri.exe
Submission date:
2011-07-20 21:32:17 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.07.21.00 2011.07.20 -
AntiVir 7.11.12.22 2011.07.20 -
Antiy-AVL 2.0.3.7 2011.07.20 -
Avast 4.8.1351.0 2011.07.20 -
Avast5 5.0.677.0 2011.07.20 -
AVG 10.0.0.1190 2011.07.20 -
BitDefender 7.2 2011.07.20 -
CAT-QuickHeal 11.00 2011.07.20 -
ClamAV 0.97.0.0 2011.07.20 -
Commtouch 5.3.2.6 2011.07.20 -
Comodo 9450 2011.07.20 -
DrWeb 5.0.2.03300 2011.07.20 -
Emsisoft 5.1.0.8 2011.07.20 -
eSafe 7.0.17.0 2011.07.20 -
eTrust-Vet 36.1.8455 2011.07.20 -
F-Prot 4.6.2.117 2011.07.20 -
F-Secure 9.0.16440.0 2011.07.20 -
Fortinet 4.2.257.0 2011.07.20 -
GData 22 2011.07.20 -
Ikarus T3.1.1.104.0 2011.07.20 -
Jiangmin 13.0.900 2011.07.20 -
K7AntiVirus 9.108.4929 2011.07.20 -
Kaspersky 9.0.0.837 2011.07.20 -
McAfee 5.400.0.1158 2011.07.20 -
McAfee-GW-Edition 2010.1D 2011.07.20 -
Microsoft 1.7000 2011.07.20 -
NOD32 6311 2011.07.20 -
Norman 6.07.10 2011.07.20 -
nProtect 2011-07-20.01 2011.07.20 -
Panda 10.0.3.5 2011.07.20 -
PCTools 8.0.0.5 2011.07.20 -
Prevx 3.0 2011.07.20 -
Rising 23.67.02.03 2011.07.20 -
Sophos 4.67.0 2011.07.20 -
SUPERAntiSpyware 4.40.0.1006 2011.07.20 -
Symantec 20111.1.0.186 2011.07.20 -
TheHacker 6.7.0.1.258 2011.07.20 -
TrendMicro 9.200.0.1012 2011.07.20 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.20 -
VBA32 3.12.16.4 2011.07.20 -
VIPRE 9904 2011.07.19 -
ViRobot 2011.7.20.4579 2011.07.20 -
VirusBuster 14.0.132.0 2011.07.20 -
Additional information
Show all
MD5 : 05dcff4925d4d4a8d01ba546690c35c0
SHA1 : d19aac692e994d025b20a4193aa438219dc62eed
SHA256: d00efd9380dbe5d7c40cb065a14db9e121ff549b2a925dbbfe9964897ad91d93
ssdeep: 6144:i2FGfd05eDi2Z+Rha4Qs13arMYVEmzhObXsyJZ/cbvMYSGWFFIl7hMcNGI1N:i2FGfd05e
D2hY7ygb0YLBhMsGIz
File size : 480519 bytes
First seen: 2011-07-19 18:14:14
Last seen : 2011-07-20 21:32:17
TrID:
Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1000
timedatestamp....: 0x4E1A76B4 (Mon Jul 11 04:06:12 2011)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
CODE, 0x1000, 0x45B1A, 0x45C00, 6.33, e3fba2dba09bfe11c2e3da7deb365ef6
DATA, 0x47000, 0x15C6C, 0x15E00, 4.44, 03339d577bf87bca934fe201f6ff6a8e
.bss, 0x5D000, 0xC58, 0xE00, 4.43, 4e15cdb0fb6645dc17f026953665c131
.idata, 0x5E000, 0x72E, 0x800, 4.61, 51b9ef8c62f646b2e81050ca654b872d
.edata, 0x5F000, 0x200, 0x200, 2.14, 9ce600094aa845096adbe67eb51aa2ef
.reloc, 0x60000, 0x3600, 0x3600, 5.74, 33263d55ba026a119e1151bf1e6c4f8b
.debug, 0x64000, 0x15507, 0x15507, 4.14, ed50ca781455ed9e8cfbf6862bacea2e

[[ 2 import(s) ]]
kernel32.dll: AllocConsole, Beep, CloseHandle, CreateFileA, CreateFileMappingA, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileA, GetCommandLineA, GetConsoleScreenBufferInfo, GetCurrentDirectoryA, GetCurrentThreadId, GetDriveTypeA, GetEnvironmentStrings, GetFileAttributesA, GetFileSize, GetFileTime, GetFileType, GetFullPathNameA, GetLargestConsoleWindowSize, GetLastError, GetLocalTime, GetLogicalDrives, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetStdHandle, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatus, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByte, LeaveCriticalSection, LoadLibraryExA, MapViewOfFile, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFile, RtlUnwind, ScrollConsoleScreenBufferA, SearchPathA, SetConsoleCtrlHandler, SetConsoleCursorPosition, SetConsoleScreenBufferSize, SetConsoleWindowInfo, SetFilePointer, SetHandleCount, UnhandledExceptionFilter, UnmapViewOfFile, VirtualAlloc, VirtualFree, WriteConsoleOutputA, WriteFile
user32.dll: EnumThreadWindows, MessageBoxA

[[ 4 export(s) ]]
@__lockDebuggerData$qv, @__unlockDebuggerData$qv, __DebuggerHookData, __GetExceptDLLinfo
ExifTool:
file metadata
FileSize: 469 kB
FileType: DOS EXE
MIMEType: application/octet-stream
Symantec reputation:Suspicious.Insight

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team

#14 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:10 PM

Posted 21 July 2011 - 08:55 AM

Hi ricknorth,

Do you know what these are?

C:\Q.BAT
C:\Q.BAK

The file tri.exe is clean. It appears to be a false positive. There is adware that creates a file tri.exe. MBAM may have hit on that.

See here


I still do not see any evidence of rootkit activity but we can look at another scan.


Step 1.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Step 2.


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Do not download the Avast definitions

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 3.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


In your next reply let me know about the .bat file and please include the following:


aswMBR log
ESET scan results


How is your computer running?


Thanks!!
PW

#15 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 21 July 2011 - 03:58 PM

Thanks PW,
q.bat is a small file I made which just calls q.exe from another folder. q.exe is the old Qedit editor, my favorite as I can use it in a CMD window and find it much less cumbersome than Notepad. I've had q.exe on my computer for many years. Sometimes I copy q.exe to new folders I make, sometimes I make a q.bat which calls it from another folder as a batch file. The contents of q.bat is this, a single line...

\xm\q %1

Inside folder \xm is q.exe, which is 47k in size and has a file date of 1990. I use it quite often.

My computer seems to be running OK, no complaints on speed or annoying popup windows from god-knows-where. However, my McAfee VSE (which generally never finds anything of these problems - it seems pretty lame) did, midway through the ESET run, find a trojan. More on that below.

q.exe was one of 4 targets of the infection I had in January this year, when a DNS changer virus out of the Ukraine got hold of this computer because I had not changed the pw on my router from the default (of course I fixed that - no further issue there). The log of that saga is here http://www.bleepingcomputer.com/forums/topic373412.html
The outcome of that episode was deleting c:\q.exe and after the machine was clean, copying q.exe from c:\xm back into the root so I could use it there. Apparently only the root directory q.exe was identified as infected, not the other q.exe copies I have scattered in various folders where I need an editor.

So, are you saying I can recompile my tri.for source code to make remake tri.exe and be OK? Should I instead rename it, say to tr.for and so tr.exe?

I ran defogger, it did not require rebooting as I don't have CD emulation on. I then ran aswMBR.exe and here is the log created...

aswMBR version 0.9.8.942 Copyright© 2011 AVAST Software
Run date: 2011-07-21 09:13:57
-----------------------------
09:13:57.609 OS Version: Windows 5.1.2600 Service Pack 3
09:13:57.609 Number of processors: 2 586 0xF06
09:13:57.609 ComputerName: RINOLTHE-NOTE UserName:
09:13:58.531 Initialize success
09:14:50.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:14:50.312 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC74P Size: 114473MB BusType: 3
09:14:50.343 Disk 0 MBR read successfully
09:14:50.343 Disk 0 MBR scan
09:14:50.343 Disk 0 unknown MBR code
09:14:50.343 Disk 0 scanning sectors +234436545
09:14:50.421 Disk 0 scanning C:\WINDOWS\system32\drivers
09:14:59.828 Service scanning
09:15:01.453 Modules scanning
09:15:29.281 Disk 0 trace - called modules:
09:15:29.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:15:29.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7c5ab8]
09:15:29.312 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\00000073[0x8a7caf18]
09:15:29.312 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a7c9940]
09:15:29.312 Scan finished successfully
09:16:21.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Cabrillo College\Desktop\bugs\MBR.dat"
09:16:21.906 The log file has been saved successfully to "C:\Documents and Settings\Cabrillo College\Desktop\bugs\aswMBR.txt"


I then ran ESET, checked the 'scan archives' box, and it took 2 hours to scan. It found no infections. There was no 'list of found threats' to click on and no 'export to text file' to click on. It just had the popup box with the green upper boarder and said 'no threats found', and then offers to buy etc. However, during the running of ESET, about midway through (an hour into the scan), my McAfee VSE 8.9i OnAccess Scanner popped up a box saying it found a trojan.
Here are the copied lines from the McAfee VSE popup box onaccess scanner when it found a trojan...


C:\Program Files\FastLynx\DpInstia64.exe
Generic Malware.mn
Deleted


----------------------------------------------------------------------------------
and this is the only line generated in the OnAccessScanLog.txt file from McAfee VSE....

7/21/2011 9:53:36 AM Deleted RINOLTHE-NOTE\Cabrillo College C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe C:\Program Files\FastLynx\DpInstia64.exe Generic Malware.mn (Trojan)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users