Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FakeFrag/FakeAlert? boot sector


  • This topic is locked This topic is locked
5 replies to this topic

#1 DixieDebVa

DixieDebVa

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:21 PM

Posted 08 July 2011 - 03:24 PM

New here but 10yr tech & thought pretty good on viruses.. whats this dog? Identical problems as FakeFrag notes from Norton (I use mbam & mcafee). Win XP SP3, Explr 7. Got while watching an embeded youtube. 1st was "hard drive/sata failure" popups, then desktop & most menu gone but revealed by "show hidden". Some files in user/temp/smtemp, Google redirects, etc. Inet explore favorites gone. Caught/renamed original kick file in registry /run on 1st safe reboot,so never saw any "Buy fake antivirus" fix? But this bug already did things..

Files shown at "time" of infect.. and in prefetch
eHmcHPSHLtmC.exe -- main kick? was in registry/run.. renamed diff registry & C:
JAVAW.exe

These reappear in User/temp/ in new random folders when reboot but not safe mode? or after Rkill.. unsure
nircmd.rkexe
nircmdc.rkexe
pev.rkexe
sed.rkexe

also see on rootrepeal/hidden drivers-
/system32/drivers/dump_iaStor.sys
About[1].exe
2 other drivers with no path, names are random numbers
on rootrepeal/stealth see 3 files hidden with similar (except end) memory loc codes?

Rkill runs but shows only kills self. On its desktop reboot, the bug still stopping fixer programs. Did "restore" to previous week but still bug. Found odd rkill log (never seen in rkill screen) that shows it acted on bad "rkexe" files, but obviously re-enacted on its desktop reboot? Cant read CDrom. TSDD file wont run at all, mbam wont update (only 2 weeks old anyway) but only finds "FakeAlert" bug in the last restore files. RootRepeal shows 3 stealth & some hidden shown above. Remade on boot-> user/temp with random folders with same kicker files above. Fixed what could find in registry and can now get around google redirects, but still cant get rkill, mbam or tsdd to work right. Gotta be boot sector virus using nircmd?

I figure this bug is bad and going around fast and you may be well familiar? Has to be boot sector? I hate going online with sick computer as who knows what it is doing in background, but with CDrom not showing working, so thats only way to download checker programs listed in instructions. Hoping I can answer your questions with current programs (like rootrepeal) so no files attached yet.

Last note- seems disappeared now but originally saw in user/temp(?) weird file that info said was-
"Remote Packet Capture Daemon, CACE Technologies, Inc"
I didn't note the file name, not sure part of problem and cant find now but thought may help?

I hope this all makes sense and you know whats up! ;)
The wise man in the storm prays to God, not for safety from danger, but for deliverance from fear. It is the storm within which endangers him, not the storm without." Emerson

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:21 PM

Posted 28 July 2011 - 07:15 PM

Hello, and :welcome: to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Watch Topic. By clicking this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :)

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold


    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

  • Push the Posted Image button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested. Also, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt
Gmer.log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 DixieDebVa

DixieDebVa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:21 PM

Posted 31 July 2011 - 07:04 AM

Hey Blade and thanks for helping! I caught this virus on 7/7 at 6:10pm and immediately did what I could to stop the damage. As above, I did catch & rename a bogus registry win/run file (either b4 or after 1st reboot to safe mode) and later was able to restore the computer to earlier date. Think I stopped half the virus from activating but it seems it hit the MBR. I dont now remember sequences but did try mbam, rkill, rootrepeal, etc. I'm switching McAfee to AVG soon as this is over. Help me find/kill whats left. ;) Heres your logs-

XXxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
OTL logfile created on: 7/31/2011 5:25:09 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Dixie\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 79.12% Memory free
2.33 Gb Paging File | 1.85 Gb Available in Paging File | 79.33% Paging File free
Paging file location(s): D:\pagefile.sys 500 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.76 Gb Total Space | 52.32 Gb Free Space | 73.94% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 14.08 Gb Free Space | 96.09% Space Free | Partition Type: NTFS
Drive E: | 54.64 Gb Total Space | 51.22 Gb Free Space | 93.74% Space Free | Partition Type: NTFS
Drive F: | 9.00 Gb Total Space | 2.47 Gb Free Space | 27.45% Space Free | Partition Type: NTFS

Computer Name: HP550LAP | User Name: Dixie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/31 05:05:12 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dixie\Desktop\OTL.exe
PRC - [2011/05/05 15:44:48 | 001,195,408 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/11/23 22:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe
PRC - [2010/10/27 20:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2009/04/23 18:49:56 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/07/31 05:05:12 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dixie\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/11/23 22:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe -- (NSL)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/04/23 18:49:56 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2007/05/24 07:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)


========== Driver Services (SafeList) ==========

DRV - [2011/04/14 14:01:38 | 000,387,480 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/04/14 14:01:38 | 000,314,088 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/04/14 14:01:38 | 000,153,280 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/04/14 14:01:38 | 000,095,824 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/04/14 14:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/04/14 14:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/04/14 14:01:38 | 000,084,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/04/14 14:01:38 | 000,084,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/04/14 14:01:38 | 000,056,064 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/04/14 14:01:38 | 000,052,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/13 14:05:37 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/04/28 15:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/01/02 15:01:40 | 001,160,320 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-602162358-1547161642-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-602162358-1547161642-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-602162358-1547161642-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-602162358-1547161642-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-602162358-1547161642-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-602162358-1547161642-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-602162358-1547161642-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{203FB6B2-2E1E-4474-863B-4C483ECCE78E}: C:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.2.0.6\coFFNST\ [2011/05/27 02:31:38 | 000,000,000 | -H-D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/08 02:26:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/30 20:19:07 | 000,000,000 | ---D | M]

[2010/10/25 03:06:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dixie\Application Data\Mozilla\Extensions
[2011/06/03 04:39:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dixie\Application Data\Mozilla\Firefox\Profiles\45o9sb6t.default\extensions
[2010/10/25 03:09:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dixie\Application Data\Mozilla\Firefox\Profiles\45o9sb6t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/07/08 22:49:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/12 17:31:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/25 03:13:27 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/23 15:11:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/08 22:49:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2009/09/14 16:39:25 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110708022616.dll (McAfee, Inc.)
O2 - BHO: (Norton Safe Web Lite BHO) - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Safe Web Lite) - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKU\S-1-5-21-602162358-1547161642-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1547161642-839522115-1003\..\Toolbar\WebBrowser: (Norton Safe Web Lite) - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-602162358-1547161642-839522115-1003\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\Dixie\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-1547161642-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-602162358-1547161642-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dixie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dixie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/13 13:21:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/07/31 05:23:15 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dixie\Desktop\OTL.exe
[2011/07/31 05:15:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dixie\Desktop\2lapVirus
[2011/07/31 02:42:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/07/31 01:29:31 | 000,000,000 | ---D | C] -- C:\1virus
[2011/07/08 22:49:40 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/07/08 22:49:40 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/07/08 22:49:40 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/07/08 00:42:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dixie\Recent
[2011/07/07 22:11:54 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/07/05 03:25:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dixie\Desktop\DutchUFO
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/31 05:14:36 | 000,472,952 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/31 05:14:36 | 000,084,658 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/31 05:05:12 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dixie\Desktop\OTL.exe
[2011/07/31 04:43:11 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/31 04:43:01 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/31 02:42:02 | 000,013,668 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/31 02:41:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/08 23:11:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Dixie\defogger_reenable
[2011/07/08 03:56:27 | 000,000,394 | ---- | M] () -- C:\Documents and Settings\Dixie\Desktop\Shared.lnk
[2011/07/06 20:28:31 | 000,000,245 | -H-- | M] () -- C:\Documents and Settings\Dixie\Desktop\NetFiix.url
[2011/07/05 15:30:05 | 000,156,654 | -H-- | M] () -- C:\Documents and Settings\Dixie\Desktop\james-map.bmp
[2011/07/04 20:17:31 | 000,006,064 | -H-- | M] () -- C:\Documents and Settings\Dixie\Desktop\wake-up.rtf
[2011/07/02 18:18:53 | 003,226,994 | -H-- | M] () -- C:\Documents and Settings\Dixie\My Documents\FurReal_Pony_76471.pdf
[2011/07/02 14:59:33 | 000,000,304 | -H-- | M] () -- C:\Documents and Settings\Dixie\Desktop\Debs Music.url
[2011/07/02 14:57:14 | 000,008,851 | -H-- | M] () -- C:\Documents and Settings\Dixie\Desktop\deborah.html
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/08 23:11:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dixie\defogger_reenable
[2011/07/05 15:30:05 | 000,156,654 | -H-- | C] () -- C:\Documents and Settings\Dixie\Desktop\james-map.bmp
[2011/07/03 17:11:30 | 000,006,064 | -H-- | C] () -- C:\Documents and Settings\Dixie\Desktop\wake-up.rtf
[2011/07/02 18:18:53 | 003,226,994 | -H-- | C] () -- C:\Documents and Settings\Dixie\My Documents\FurReal_Pony_76471.pdf
[2011/07/02 14:51:36 | 000,008,851 | -H-- | C] () -- C:\Documents and Settings\Dixie\Desktop\deborah.html
[2011/06/24 00:19:38 | 000,000,176 | ---- | C] () -- C:\WINDOWS\EQ3D.ini
[2010/12/24 12:46:33 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/25 03:06:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/14 06:14:52 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Dixie\Local Settings\Application Data\kodakpcd.ini
[2010/05/02 05:39:02 | 000,000,170 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/10/03 20:15:33 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Dixie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/13 21:47:52 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/13 20:26:01 | 000,001,515 | -H-- | C] () -- C:\Documents and Settings\Dixie\Application Data\SAS7_000.DAT
[2009/09/13 17:40:16 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/09/13 17:39:09 | 000,153,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/13 13:49:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2009/09/13 13:40:53 | 002,215,364 | ---- | C] () -- C:\WINDOWS\System32\igklg400.bin
[2009/09/13 13:40:53 | 001,971,732 | ---- | C] () -- C:\WINDOWS\System32\igklg450.bin
[2009/09/13 13:40:53 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4935.dll
[2009/09/13 13:40:53 | 000,029,932 | ---- | C] () -- C:\WINDOWS\System32\igmedcompkrn.bin
[2009/09/13 13:23:08 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/13 13:18:44 | 000,023,348 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2001/08/23 08:00:00 | 000,472,952 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,084,658 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1997/07/11 00:00:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\WRKGADM.EXE
[1997/07/11 00:00:00 | 000,031,232 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL
[1997/07/11 00:00:00 | 000,025,600 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/07/31 00:00:00 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\WOSAXRT.DLL
[1996/07/31 00:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\MSNWEBQT.DLL

========== LOP Check ==========

[2010/06/06 13:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AdminX\Application Data\Orbit
[2010/08/04 16:58:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\AdminX\Application Data\Skinux
[2009/09/13 23:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2009/09/13 20:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2009/09/13 20:04:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/12/10 02:05:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/07/02 14:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\FileZilla
[2009/09/17 19:13:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\GrabPro
[2009/09/14 14:38:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\Notepad++
[2009/09/13 20:09:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\Nuance
[2009/09/14 17:10:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\OpenOffice.org
[2011/07/08 23:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\Orbit
[2011/06/03 04:39:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\ProgSense
[2010/07/13 23:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dixie\Application Data\Skinux
[2011/04/25 16:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Orbit
[2010/07/07 18:37:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kelly\Application Data\Orbit
[2010/08/30 10:53:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kelly\Application Data\Skinux
[2011/06/28 22:35:02 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\EasyShare Registration Task.job

========== Purity Check ==========



========== Custom Scans ==========


< netsvc >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 08:00:00 | 020,056,462 | -H-- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 08:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 08:00:00 | 020,056,462 | -H-- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2009/09/13 12:50:40 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\WINDOWS\NLDRV\002\iastor.sys
[2009/09/13 12:50:40 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2009/09/13 12:50:40 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/09/30 19:45:01 | 000,262,144 | -H-- | M] () -- C:\WINDOWS\System32\config\default.sav
[2009/09/30 23:37:22 | 000,262,144 | -H-- | M] () -- C:\WINDOWS\System32\config\security.sav
[2009/09/30 19:45:01 | 019,922,944 | -H-- | M] () -- C:\WINDOWS\System32\config\software.sav
[2009/09/30 19:45:03 | 004,456,448 | -H-- | M] () -- C:\WINDOWS\System32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 235 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD

< End of report >


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
OTL Extras logfile created on: 7/31/2011 5:25:09 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Dixie\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 79.12% Memory free
2.33 Gb Paging File | 1.85 Gb Available in Paging File | 79.33% Paging File free
Paging file location(s): D:\pagefile.sys 500 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.76 Gb Total Space | 52.32 Gb Free Space | 73.94% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 14.08 Gb Free Space | 96.09% Space Free | Partition Type: NTFS
Drive E: | 54.64 Gb Total Space | 51.22 Gb Free Space | 93.74% Space Free | Partition Type: NTFS
Drive F: | 9.00 Gb Total Space | 2.47 Gb Free Space | 27.45% Space Free | Partition Type: NTFS

Computer Name: HP550LAP | User Name: Dixie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Intuit\QuickBooks 2008\QBW32.EXE" = C:\Program Files\Intuit\QuickBooks 2008\QBW32.EXE:*:Disabled:QuickBooks -- (Intuit Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 26
"{26A24AE4-039D-4CA4-87B4-2F83216020F0}" = Java™ 6 Update 20
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2F7FE893-8E57-46F2-9556-C1E3F0FA1EC7}" = Formulator 4.1
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 F1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A5A427F-BA39-4BF0-9A47-9999FBE60C9F}" = Visual C++ Runtime for Dragon NaturallySpeaking
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{55584E16-4D70-44EE-93DD-F144E8B7D4B7}" = QuickBooks Product Listing Service
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7646-A00000000001}" = Adobe Reader 6.0.1
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 ESD
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{E7712E53-7A7F-46EB-AA13-70D5987D30F2}" = Dragon NaturallySpeaking 10
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"FileZilla Client" = FileZilla Client 3.5.0
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Invoice" = Microsoft Word 97 Invoice Sample Form (Remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"MSC" = McAfee AntiVirus Plus
"MSMONEYV50" = Microsoft Money 5.0
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notepad++" = Notepad++
"NST" = Norton Safe Web Lite
"OCCAgent" = OCC Agent (remove only)
"Office8.0" = Microsoft Office 97, Professional Edition
"Orbit_is1" = Orbit Downloader
"PokerStars" = PokerStars
"Ppt to Flv Converter 3000_is1" = Ppt to Flv Converter 3000 7.4
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 12.0" = RealPlayer
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Visual Slideshow" = Visual Slideshow

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/31/2011 5:18:40 AM | Computer Name = HP550LAP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 7/30/2011 3:43:41 PM | Computer Name = HP550LAP | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/30/2011 3:43:41 PM | Computer Name = HP550LAP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/30/2011 3:45:03 PM | Computer Name = HP550LAP | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 7/30/2011 3:45:35 PM | Computer Name = HP550LAP | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 7/31/2011 2:33:07 AM | Computer Name = HP550LAP | Source = DCOM | ID = 10010
Description = The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register
with DCOM within the required timeout.

Error - 7/31/2011 2:42:37 AM | Computer Name = HP550LAP | Source = DCOM | ID = 10010
Description = The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register
with DCOM within the required timeout.

Error - 7/31/2011 5:13:59 AM | Computer Name = HP550LAP | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/31/2011 5:13:59 AM | Computer Name = HP550LAP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/31/2011 5:29:00 AM | Computer Name = HP550LAP | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/31/2011 5:29:00 AM | Computer Name = HP550LAP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.


< End of report >

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-31 07:26:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FB2O
Running: 0xh2288dGMER.exe; Driver: C:\DOCUME~1\Dixie\LOCALS~1\Temp\fwryipod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF71C0210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF71C0224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF71C0250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF71C02A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF71C01FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF71C01D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF71C01E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF71C023A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF71C027C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF71C0266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF71C02D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF71C02BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF71C0290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text KDCOM.DLL!KdSendPacket F7987345 6 Bytes [FA, 8D, 46, 01, 25, FF]
.text KDCOM.DLL!KdSendPacket F798734D 5 Bytes [80, 79, 07, 48, 0D]
.text KDCOM.DLL!KdSendPacket F7987353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
.text KDCOM.DLL!KdSendPacket F7987371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
.text KDCOM.DLL!KdD0Transition + 8 F798738E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
.text KDCOM.DLL!KdD0Transition + 1A F79873A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 25 F79873CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
.text KDCOM.DLL!KdDebuggerInitialize0 + 2C F79873D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 44 F79873EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
.text KDCOM.DLL!KdRestore + 2D F798748D 1 Byte [43]
.text KDCOM.DLL!KdRestore + 2D F798748D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
.text KDCOM.DLL!KdRestore + 7C F79874DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
.text KDCOM.DLL!KdRestore + 97 F79874F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
.text KDCOM.DLL!KdRestore + AD F798750D 241 Bytes CALL F798746D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 2 F7987F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D0 F798801C 2 Bytes [75, 0E] {JNZ 0x10}
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F798801F 1 Byte [C0]
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F798801F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 13B F7988087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
PAGEKD ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[392] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0069001B
.text C:\WINDOWS\System32\svchost.exe[612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00690000
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0054
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0F5F
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D0F70
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D0039
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D0F8D
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D00A0
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D0F4E
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D0F18
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D0F33
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D00CC
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0014
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D006F
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D0FA8
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D0FC3
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D00B1
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F79
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0025
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0F94
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006C0036
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0FAF
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0FC8
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0053
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B001D
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B002E
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[612] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690FE5
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0069000A
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00690FD4
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0F3C
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0F4D
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D0F5E
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D0F9E
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D0062
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D0F1A
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D0EF5
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D008E
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D0EE4
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0F83
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D0F2B
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D0FAF
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D0FCA
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D0073
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0025
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F9E
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C005B
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006C0040
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0FB9
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0F90
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B001B
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FB5
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\System32\svchost.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\system32\services.exe[1120] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1120] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F90
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10FA1
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C1007B
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10FBC
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FDE
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C100C7
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F7F
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100EC
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F53
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C100FD
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10FCD
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C100AA
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F64
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA3
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060038
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060016
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1132] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\lsass.exe[1132] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C20014
.text C:\WINDOWS\system32\lsass.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0078
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0067
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF004C
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF009D
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F57
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00C9
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00AE
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00DA
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F68
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F30
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F7C
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FCD
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\lsass.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F7D
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90072
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90055
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90044
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90033
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F4F
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90097
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900C6
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F23
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900D7
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90FAC
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F6C
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90022
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90F3E
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80F83
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80036
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B80F9E
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D8, 88]
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80FAF
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B7005F
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70044
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70029
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7000C
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F50FDE
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90047
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90F5E
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90F6F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90F94
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F26
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90F37
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90EFA
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90089
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F900A4
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90058
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90FB9
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F90F15
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80036
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80FA5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80FB6
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F80062
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80051
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70FBE
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70049
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F7002E
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FD9
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F7001D
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30011
.text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70096
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70071
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F97
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70FB2
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70FDE
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C700BD
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F75
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F38
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F49
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C700E2
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C70FC3
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C70F86
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C7004A
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C70F64
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60F94
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60051
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E6, 88] {OUT 0x88, AL}
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50047
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50FB2
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C50FD7
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C5002C
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C50011
.text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40000
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02AB0000
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02AB0FD1
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02AB0011
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03B30FEF
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03B3007D
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03B3006C
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03B30F92
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03B3005B
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03B30FC3
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03B300BA
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03B300A9
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03B30104
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03B300DF
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03B30F46
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03B3004A
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03B30FDE
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03B3008E
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03B3002F
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03B30014
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03B30F61
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03B20FAF
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03B20F68
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03B20FCA
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03B20FE5
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03B20F83
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03B2000A
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03B20F94
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D2, 8B]
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03B20025
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 039E003D
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 039E0022
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 039E0011
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 039E0000
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 039E0FB2
.text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 039E0FD7
.text C:\WINDOWS\System32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02AE0FEF
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02AD0FEF
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02AD0000
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02AD0FC0
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 02AD0FAF
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A00014
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A500A7
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A5008C
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50FB2
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A50F66
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A500B8
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500E4
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A500C9
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A500FF
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A5005B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50F97
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A50040
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A50F4B
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A40F80
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A40FAF
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30F9A
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30FC6
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30FE3
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FAB
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60014
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F77
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F88
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0062
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0051
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00BD
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00A2
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F3F
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00D8
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F24
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0091
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F5A
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90022
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90F8A
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90047
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FA5
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FC0
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80064
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80053
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80038
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FD9
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8001D
.text C:\WINDOWS\system32\svchost.exe[1496] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900FDB
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F94
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA007F
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA006E
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FA5
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00B7
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00A6
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00D2
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F43
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F1E
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F79
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FDB
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F54
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FCD
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9005B
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B9001E
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B9004A
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B90039
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FBC
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930FA4
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FB5
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FC6
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FE3
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0092000A
.text C:\WINDOWS\explorer.exe[3484] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\explorer.exe[3484] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090036
.text C:\WINDOWS\explorer.exe[3484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009001B
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0078
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F83
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0051
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F94
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0036
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00A6
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F5E
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F17
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F32
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00CB
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0089
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0025
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B000A
.text C:\WINDOWS\explorer.exe[3484] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F43
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FC7
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F91
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0022
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0011
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A004E
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FB6
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\explorer.exe[3484] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0033
.text C:\WINDOWS\explorer.exe[3484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B006E
.text C:\WINDOWS\explorer.exe[3484] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\explorer.exe[3484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B002E
.text C:\WINDOWS\explorer.exe[3484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B000C
.text C:\WINDOWS\explorer.exe[3484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0049
.text C:\WINDOWS\explorer.exe[3484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B001D
.text C:\WINDOWS\explorer.exe[3484] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\explorer.exe[3484] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\explorer.exe[3484] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002D000A
.text C:\WINDOWS\explorer.exe[3484] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 002D001B
.text C:\WINDOWS\explorer.exe[3484] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01660FE5
.text C:\WINDOWS\System32\svchost.exe[3860] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\System32\svchost.exe[3860] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009002C
.text C:\WINDOWS\System32\svchost.exe[3860] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090011
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F57
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F72
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F83
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F94
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F30
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0078
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F1F
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00AE
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00C9
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0036
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0067
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\WINDOWS\System32\svchost.exe[3860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B009D
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0058
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0025
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F9B
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0047
.text C:\WINDOWS\System32\svchost.exe[3860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0036
.text C:\WINDOWS\System32\svchost.exe[3860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0047
.text C:\WINDOWS\System32\svchost.exe[3860] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0036
.text C:\WINDOWS\System32\svchost.exe[3860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0FC6
.text C:\WINDOWS\System32\svchost.exe[3860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0FE3
.text C:\WINDOWS\System32\svchost.exe[3860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F001B
.text C:\WINDOWS\System32\svchost.exe[3860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F0000
.text C:\WINDOWS\System32\svchost.exe[3860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:144] 8A78B0B3
Thread System [4:152] 8A78B923
Thread System [4:156] 8A78C7FB

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The wise man in the storm prays to God, not for safety from danger, but for deliverance from fear. It is the storm within which endangers him, not the storm without." Emerson

#4 DixieDebVa

DixieDebVa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:21 PM

Posted 31 July 2011 - 07:14 AM

PS I have only let this computer "online" once (to get latest mbam?) since the infection. I am checking you & downloading files to another computer, then shutting down internet and transferring files by my intranet to sick computer. This why the network error messages. Thanks again!
The wise man in the storm prays to God, not for safety from danger, but for deliverance from fear. It is the storm within which endangers him, not the storm without." Emerson

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:21 PM

Posted 31 July 2011 - 05:03 PM

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:21 PM

Posted 08 August 2011 - 04:20 PM

Due to lack of feedback, this topic is now Closed

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users