Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser being redirected


  • This topic is locked This topic is locked
15 replies to this topic

#1 jcomp101

jcomp101

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 04 August 2011 - 01:59 AM

Like many others I am having this problem. Started about 2 weeks ago. Seems to happen on IE, Firefox and whatever else I try. If I google an item and click on it 4 times, the redirection stops. I went to a beginner's guide on this stuff, and tried their suggestions, like the HOSTS file and searching the registry by topic. Couldn't find anything. Using XP Pro.Attached File  hijackthis.log   12.5KB   0 downloads

BC AdBot (Login to Remove)

 


#2 jcomp101

jcomp101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 09 August 2011 - 09:35 PM

I get this message when I try to add a new printer. All previous printers have been removed. I have tried all recommended fixes from Help and Support without success. I ran DDS and GMER and have posted the logs. Please help if you can.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jon at 22:36:02 on 2011-08-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.1911 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\PKWARE\PKZIPM\12.51.0004\PKTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Microsoft Silverlight\sllauncher.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110723100019.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [3Z1Y3ZXH5C1H8B9XH] c:\usxxxxxxxx\usxxxxxxxx.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [vGJlwIuWtiWKYpr] c:\documents and settings\all users\application data\vGJlwIuWtiWKYpr.exe
uRun: [16441124] c:\documents and settings\all users\application data\16441124.exe
uRun: [aNltCtwlp9e6] c:\docume~1\alluse~1\applic~1\aNltCtwlp9e6.exe
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QwestTouchPointAgent] "c:\program files\qwest\desktop\QwestTouchPointAgent.exe" /autostart
mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpzrcv01.lnk - c:\program files\hp\temp\{2d0df835-98ab-487e-8514-0e0941f728c4}\setup\hpzrcv01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\miniey~1.lnk - c:\program files\infinite mind lc\eyeq\ARLaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pkzipa~1.lnk - c:\program files\pkware\pkzipm\12.51.0004\PKTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - hxxp://host1.telechart.tv/tcinstall/setup.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{52AEBAF5-8E06-45C8-9128-80C463C01F25} : DhcpNameServer = 192.168.0.1 205.171.3.25
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jon\application data\mozilla\firefox\profiles\ep4vswg1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoofinance.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 459728]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-6-2 89368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-2 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-6-2 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-2 148520]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2009-3-19 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2011-4-11 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2011-4-11 185640]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-6-2 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-6-2 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-2 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-6-2 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-6-2 83688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-4-1 67400]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-6-2 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-2 85984]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-08-09 00:16:03 -------- d-----w- c:\documents and settings\jon\application data\ElevatedDiagnostics
2011-08-08 15:11:39 635392 ----a-w- c:\windows\system32\authorize.dll
2011-08-08 15:11:39 -------- d-----w- c:\program files\Elemental Trader 1.5
2011-08-08 15:04:01 -------- d-----w- C:\ElemTrader
2011-07-23 17:00:19 24376 ---ha-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
2011-07-15 06:43:19 -------- d-----w- C:\Harricharin
.
==================== Find3M ====================
.
2011-06-18 15:55:58 0 ---ha-w- c:\documents and settings\jon\jvvpmdtqrd.tmp
2011-06-02 14:07:35 1867904 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:37:24.42 ===============



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-09 18:51:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-75L9A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\Jon\LOCALS~1\Temp\kxlyakod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE3D70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE3D84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE3DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE3E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE3D5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE3D34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE3D48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE3D9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE3DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE3DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE3E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE3E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE3DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DE3DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DE3E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DE3E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9DE3DE0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DE3D38 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DE3D4C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DE3E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DE3DCA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DE3D9E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DE3D74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DE3D88 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DE3DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DE3D60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
INITc VolSnap.sys BA0D3BD0 4 Bytes [B0, A5, 53, 80]
INITc VolSnap.sys BA0D3BF8 4 Bytes [B8, A1, 4F, 80]
INITc VolSnap.sys BA0D3C20 4 Bytes [B6, AE, 4F, 80]
INITc VolSnap.sys BA0D3C48 4 Bytes [30, FF, 4F, 80]
INITc VolSnap.sys BA0D3C70 4 Bytes [7A, A8, 4F, 80]
INITc ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910014
.text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FDE
.text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F79
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F8A
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900062
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900051
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000C1
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009000A4
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0090011C
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900101
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0090012D
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900036
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900089
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000E6
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FB2
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0032
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FCD
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F75
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0F86
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FA1
.text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F97
.text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0018
.text C:\WINDOWS\system32\svchost.exe[252] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[252] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[252] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\svchost.exe[252] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\svchost.exe[252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01690FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01690FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01690FD4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01680FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01680060
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01680F75
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01680F86
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01680F97
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01680025
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016800A7
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01680096
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01680F44
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016800DD
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01680F33
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01680FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01680000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01680085
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01680FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01680FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016800CC
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016B0F75
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] msvcrt.dll!system 77C293C7 5 Bytes JMP 016B0F90
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016B0FC6
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016B0FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016B0FB5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016B0000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 016C0025
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 016C0FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 016C000A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 016C0FD4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 016C0FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 016C0FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 016C0051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 016C0040
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016A0FEF
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A30FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A30014
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A30FDE
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A2000A
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A20F8F
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20084
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20069
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20058
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A2002C
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A200C6
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A200A9
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A20106
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A20F63
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A20F52
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A2003D
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A20FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A20F7E
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A2001B
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A20FD4
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A200E1
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 515B0F9C
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 515B0027
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 515B0FD2
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 515B0000
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 515B0FB7
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 515B0FE3
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 515C0FD4
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 515C0076
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 515C0025
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 515C0FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 515C0065
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 515C000A
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 515C0054
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 515C0FC3
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\System32\svchost.exe[924] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\System32\svchost.exe[924] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F61
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0060
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0043
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F86
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FB2
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F44
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E008C
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0F33
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E00CC
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0F22
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0FA1
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E007B
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FCD
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E00B1
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0036
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D007D
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0025
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D006C
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006D005B
.text C:\WINDOWS\System32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710FAD
.text C:\WINDOWS\System32\svchost.exe[924] msvcrt.dll!system 77C293C7 5 Bytes JMP 0071002E
.text C:\WINDOWS\System32\svchost.exe[924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0071000C
.text C:\WINDOWS\System32\svchost.exe[924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0071001D
.text C:\WINDOWS\System32\svchost.exe[924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710FD2
.text C:\WINDOWS\System32\svchost.exe[924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700FE5
.text C:\WINDOWS\System32\svchost.exe[964] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\System32\svchost.exe[964] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\System32\svchost.exe[964] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E006C
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E005B
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0040
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F83
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0F9E
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F41
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0089
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E00BF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F26
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0F0B
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0025
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F52
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E00A4
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FC3
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D006F
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0054
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006D0039
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0FB2
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710053
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710042
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0071001D
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710000
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710FD2
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710FE3
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B80022
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B70093
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B70078
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B70F9E
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B70FB9
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B700DC
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B700BF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B70F57
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B70F68
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B70115
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B70051
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B700A4
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B70025
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B60051
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B60F94
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60FAF
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90036
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B90FA1
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90FC6
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B90FD7
.text C:\WINDOWS\system32\services.exe[1120] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1120] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[1120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F83
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0062
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FA5
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE009D
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0F55
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00B8
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F1F
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE00D3
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F72
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F30
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 016D0040
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 016D0FAF
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 016D0025
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 016D0FEF
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 016D006C
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 016D000A
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 016D005B
.text C:\WINDOWS\system32\services.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 016D0FD4
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016C0066
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 016C0055
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016C0FE5
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016C000C
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016C003A
.text C:\WINDOWS\system32\services.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016C0029
.text C:\WINDOWS\system32\services.exe[1120] wininet.dll!InternetOpenA 3D95D690 5 Bytes JMP 016A0FEF
.text C:\WINDOWS\system32\services.exe[1120] wininet.dll!InternetOpenW 3D95DB09 5 Bytes JMP 016A0FDE
.text C:\WINDOWS\system32\services.exe[1120] wininet.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 016A0FC3
.text C:\WINDOWS\system32\services.exe[1120] wininet.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 016A0014
.text C:\WINDOWS\system32\services.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016B000A
.text C:\WINDOWS\system32\lsass.exe[1132] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\lsass.exe[1132] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C2002C
.text C:\WINDOWS\system32\lsass.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F55
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD004A
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F7C
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD007B
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F33
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0EF3
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD008C
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00A7
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F44
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F18
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1D, 89]
.text C:\WINDOWS\system32\lsass.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40FA6
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40FB7
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40FD9
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FC8
.text C:\WINDOWS\system32\lsass.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E4001D
.text C:\WINDOWS\system32\lsass.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02470FEF
.text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02470025
.text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0247000A
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02460000
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02460F5C
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02460F6D
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02460051
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02460F94
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02460FB9
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02460076
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02460F2E
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024600AC
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02460F13
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024600BD
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02460040
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0246001B
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02460F4B
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02460FCA
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02460FE5
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0246009B
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024A0FC3
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024A0043
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024A0FD4
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024A0014
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024A0F7C
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 024A0F8D
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6A, 8A] {PUSH -0x76}
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024A0FB2
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0249004C
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 02490FC1
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02490027
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0249000C
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02490FD2
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02490FEF
.text C:\WINDOWS\system32\svchost.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02480FE5
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D40FE5
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D3009A
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D3007F
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30064
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30047
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30FC0
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D30F5E
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F6F
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D300D5
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D30F3C
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D300F0
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30FA5
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D30F8A
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D30F4D
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70FA8
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70025
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D7000A
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70FB9
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D7005B
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D7004A
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60051
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60FBC
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D60022
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D60FCD
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D60011
.text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\System32\svchost.exe[1540] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 05E80FEF
.text C:\WINDOWS\System32\svchost.exe[1540] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05E80FCA
.text C:\WINDOWS\System32\svchost.exe[1540] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 05E80000
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05D30000
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05D30073
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05D30F7E
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05D30FA5
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05D30062
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05D30FC0
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05D300B5
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05D300A4
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05D300E8
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05D300D7
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05D30F34
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05D30051
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05D3001B
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05D30F6D
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05D30FD1
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05D3002C
.text C:\WINDOWS\System32\svchost.exe[1540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05D300C6
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05F30FCA
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05F30073
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05F3001B
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05F3000A
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05F30058
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05F30FEF
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 05F30047
.text C:\WINDOWS\System32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05F30036
.text C:\WINDOWS\System32\svchost.exe[1540] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05F20F9C
.text C:\WINDOWS\System32\svchost.exe[1540] msvcrt.dll!system 77C293C7 5 Bytes JMP 05F20FAD
.text C:\WINDOWS\System32\svchost.exe[1540] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 05F20027
.text C:\WINDOWS\System32\svchost.exe[1540] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05F2000C
.text C:\WINDOWS\System32\svchost.exe[1540] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05F20FC8
.text C:\WINDOWS\System32\svchost.exe[1540] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 05F20FE3
.text C:\WINDOWS\System32\svchost.exe[1540] WS2_32.dll!socket 71AB4211 5 Bytes JMP 05F10000
.text C:\WINDOWS\System32\svchost.exe[1540] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 05D40000
.text C:\WINDOWS\System32\svchost.exe[1540] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 05D40011
.text C:\WINDOWS\System32\svchost.exe[1540] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 05D40022
.text C:\WINDOWS\System32\svchost.exe[1540] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 05D40047
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00820FD1
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00820011
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0081007D
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00810F88
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00810062
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00810FA5
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00810FCA
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00810F52
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0081009A
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008100BF
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00810F26
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008100DA
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00810047
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00810025
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00810F63
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00810FDB
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00810036
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00810F41
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00850FAF
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00850F5E
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00850000
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00850FCA
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00850F6F
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00850FE5
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00850011
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00850F94
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00840FB9
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!system 77C293C7 5 Bytes JMP 00840FD4
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0084003A
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0084000C
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00840FEF
.text C:\WINDOWS\system32\svchost.exe[1692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00840029
.text C:\WINDOWS\system32\svchost.exe[1692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00830FEF
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0014
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E0FDE
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D005B
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F70
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D004A
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0039
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0087
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F4B
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0EFF
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0098
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D00A9
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D006C
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FAF
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0F24
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50FC0
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A5006C
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50011
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A5005B
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A50040
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50FAF
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A0004E
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A0003D
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00018
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\Explorer.EXE[1928] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01420000
.text C:\WINDOWS\Explorer.EXE[1928] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01420FCA
.text C:\WINDOWS\Explorer.EXE[1928] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01420FE5
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01410FE5
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01410F63
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01410058
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01410047
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01410F8A
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01410FC0
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01410F37
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01410073
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01410F12
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014100AB
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01410F01
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01410FAF
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01410000
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01410F52
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01410022
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01410011
.text C:\WINDOWS\Explorer.EXE[1928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01410090
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01400011
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0140006C
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01400FC0
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01400000
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0140005B
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01400FE5
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01400040
.text C:\WINDOWS\Explorer.EXE[1928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01400FAF
.text C:\WINDOWS\Explorer.EXE[1928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0145002E
.text C:\WINDOWS\Explorer.EXE[1928] msvcrt.dll!system 77C293C7 5 Bytes JMP 0145001D
.text C:\WINDOWS\Explorer.EXE[1928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01450FC8
.text C:\WINDOWS\Explorer.EXE[1928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01450000
.text C:\WINDOWS\Explorer.EXE[1928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01450FAD
.text C:\WINDOWS\Explorer.EXE[1928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01450FE3
.text C:\WINDOWS\Explorer.EXE[1928] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01430FEF
.text C:\WINDOWS\Explorer.EXE[1928] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0143000A
.text C:\WINDOWS\Explorer.EXE[1928] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01430FD4
.text C:\WINDOWS\Explorer.EXE[1928] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 01430FB9
.text C:\WINDOWS\Explorer.EXE[1928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01440000
.text C:\WINDOWS\system32\SearchIndexer.exe[2788] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Messenger\msmsgs.exe[3216] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00080FEF
.text C:\Program Files\Messenger\msmsgs.exe[3216] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00080011
.text C:\Program Files\Messenger\msmsgs.exe[3216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00080000
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0071
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F7C
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F97
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA8
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FD4
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00A9
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F57
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F32
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00CB
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F21
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FC3
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0014
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0082
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B004A
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0025
.text C:\Program Files\Messenger\msmsgs.exe[3216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00BA
.text C:\Program Files\Messenger\msmsgs.exe[3216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0027
.text C:\Program Files\Messenger\msmsgs.exe[3216] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0F9C
.text C:\Program Files\Messenger\msmsgs.exe[3216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
.text C:\Program Files\Messenger\msmsgs.exe[3216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A000C
.text C:\Program Files\Messenger\msmsgs.exe[3216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FDE
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B002C
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F94
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B001B
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0FB9
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0051
.text C:\Program Files\Messenger\msmsgs.exe[3216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002C0000
.text C:\Program Files\Messenger\msmsgs.exe[3216] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0000
.text C:\Program Files\Messenger\msmsgs.exe[3216] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3216] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0011
.text C:\Program Files\Messenger\msmsgs.exe[3216] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002D0FC0
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 019B1D10 C:\Documents and Settings\Jon\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] kernel32.dll!GetTempFileNameW 7C8359E7 5 Bytes JMP 019B2040 C:\Documents and Settings\Jon\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0075000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0072000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0071000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0073000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4328] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0074000A
.text C:\WINDOWS\system32\wuauclt.exe[4512] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[4512] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FCA
.text C:\WINDOWS\system32\wuauclt.exe[4512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0062
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0051
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F77
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0040
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C002F
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C009A
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F52
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F1C
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00BF
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F0B
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0073
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C001E
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[4512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F41
.text C:\WINDOWS\system32\wuauclt.exe[4512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0047
.text C:\WINDOWS\system32\wuauclt.exe[4512] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FBC
.text C:\WINDOWS\system32\wuauclt.exe[4512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[4512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[4512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[4512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C001B
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0040
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0F83
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0F9E
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\system32\wuauclt.exe[4512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FAF
.text C:\WINDOWS\System32\svchost.exe[5144] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\System32\svchost.exe[5144] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090025
.text C:\WINDOWS\System32\svchost.exe[5144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0058
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0047
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0036
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F79
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0025
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F35
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B007D
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0EFF
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0098
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00A9
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F52
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\System32\svchost.exe[5144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F1A
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F8D
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A001B
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FAF
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\System32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0036
.text C:\WINDOWS\System32\svchost.exe[5144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0FCF
.text C:\WINDOWS\System32\svchost.exe[5144] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F005A
.text C:\WINDOWS\System32\svchost.exe[5144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F002E
.text C:\WINDOWS\System32\svchost.exe[5144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0000
.text C:\WINDOWS\System32\svchost.exe[5144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0049
.text C:\WINDOWS\System32\svchost.exe[5144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F001D
.text C:\WINDOWS\System32\svchost.exe[5144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[5672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090025
.text C:\WINDOWS\system32\wuauclt.exe[5672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009000A
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F94
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0089
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0078
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0051
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00DC
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C00B5
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0108
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F6F
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0119
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0040
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C00A4
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\wuauclt.exe[5672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00ED
.text C:\WINDOWS\system32\wuauclt.exe[5672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B004C
.text C:\WINDOWS\system32\wuauclt.exe[5672] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FC1
.text C:\WINDOWS\system32\wuauclt.exe[5672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0027
.text C:\WINDOWS\system32\wuauclt.exe[5672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\system32\wuauclt.exe[5672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B000C
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FB2
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0040
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FCD
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0025
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0014
.text C:\WINDOWS\system32\wuauclt.exe[5672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0F8D
.text C:\WINDOWS\system32\wuauclt.exe[5672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003D0000
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F91D10 C:\Documents and Settings\Jon\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5828] kernel32.dll!GetTempFileNameW 7C8359E7 5 Bytes JMP 00F92040 C:\Documents and Settings\Jon\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5828] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1068F0D7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5828] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1068F069 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5828] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104A56CB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5828] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104A5CE7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:140] 8ACDCE7A
Thread System [4:144] 8ACDF008

---- Files - GMER 1.0.15 ----

File C:\Tax\Tax00 0 bytes
File C:\Tax\Tax01 0 bytes
File C:\Tax\Tax01\2001 Trost J Tax Return.tax 299313 bytes
File C:\Tax\Tax02 0 bytes
File C:\Tax\Tax02\2002 Tax Return.pdf 46800 bytes
File C:\Tax\Tax02\2002 Tax Return.tax 218729 bytes
File C:\Tax\Tax03 0 bytes
File C:\Tax\Tax03\2003 Trost J Tax Return.tax 440997 bytes
File C:\Tax\Tax03\2003 Trost J Tax ReturnFile.pdf 87665 bytes
File C:\Tax\Tax03\2003 Trost J Tax ReturnMain.pdf 54063 bytes
File C:\Tax\Tax04 0 bytes
File C:\Tax\Tax04\2004 Trost J Tax Return.pdf 51465 bytes
File C:\Tax\Tax04\2004 Trost J Tax Return.tax 345296 bytes
File C:\Tax\Tax05 0 bytes
File C:\Tax\Tax05\2005 Trost J Tax Return.tax 299328 bytes
File C:\Tax\Tax06 0 bytes
File C:\Tax\Tax06\2005_Trades.doc 22016 bytes
File C:\Tax\Tax06\2006 Trost J Tax Return.tax 389200 bytes
File C:\Tax\Tax06\2006 Trost J Tax ReturnB.tax 354080 bytes
File C:\Tax\Tax06\IRS_4_28_07.doc 23040 bytes
File C:\Tax\Tax07 0 bytes
File C:\Tax\Tax07\2007 Trost J Tax Return.tax 476832 bytes
File C:\Tax\Tax08 0 bytes
File C:\Tax\Tax08\2008 Trost J Form 1040 Individual Tax Return.tax2008 531848 bytes
File C:\Tax\Tax08\2008_temp_pdf_file.pdf 69959 bytes
File C:\Tax\Tax09 0 bytes
File C:\Tax\Tax09\2009 Trost J Form 1040 Individual Tax Return.tax2009 587840 bytes
File C:\Tax\Tax09\2009 Trost J Form 1040 Individual Tax Return.tax2009.pdf 109245 bytes
File C:\Tax\Tax10 0 bytes
File C:\Tax\Tax10\2010 Trost J Form 1040 Individual Tax Return.pdf 99004 bytes
File C:\Tax\Tax10\2010 Trost J Form 1040 Individual Tax Return.tax2010 574592 bytes
File C:\Tax\Tax10\TurboTax_Print_Preview_03-13-2011T23.59.35.843.pdf 97181 bytes
File C:\Tax\Tax98 0 bytes
File C:\Tax\Tax98\1998 Trost J Tax Return.tax 139228 bytes
File C:\Tax\Tax99 0 bytes
File C:\Tax\Tax99\info.tax 151407 bytes
File C:\Tax\uninstall.log 18 bytes
File C:\Test1\PaperRockScissors 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 09 August 2011 - 10:19 PM.
Merged topics. ~ OB


#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:06 AM

Posted 10 August 2011 - 02:11 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 jcomp101

jcomp101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 11 August 2011 - 06:39 PM

Hello Gringo:
Thanks for looking into my computer issue. An unusual (and positive) issue has occurred. For some reason, the printer issue has been resolved. I noticed during my last Microsoft Update, that a Malware tool was included. Perhaps it restored things automatically, I don't really know. That was obviously the most severe problem. The redirect remains.
Here are the logs you requested.

First DDS.txt:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jon at 16:19:10 on 2011-08-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.1790 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\PKWARE\PKZIPM\12.51.0004\PKTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Silverlight\sllauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110723100019.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [3Z1Y3ZXH5C1H8B9XH] c:\usxxxxxxxx\usxxxxxxxx.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [vGJlwIuWtiWKYpr] c:\documents and settings\all users\application data\vGJlwIuWtiWKYpr.exe
uRun: [16441124] c:\documents and settings\all users\application data\16441124.exe
uRun: [aNltCtwlp9e6] c:\docume~1\alluse~1\applic~1\aNltCtwlp9e6.exe
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QwestTouchPointAgent] "c:\program files\qwest\desktop\QwestTouchPointAgent.exe" /autostart
mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\miniey~1.lnk - c:\program files\infinite mind lc\eyeq\ARLaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pkzipa~1.lnk - c:\program files\pkware\pkzipm\12.51.0004\PKTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - hxxp://host1.telechart.tv/tcinstall/setup.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{52AEBAF5-8E06-45C8-9128-80C463C01F25} : DhcpNameServer = 192.168.0.1 205.171.3.25
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jon\application data\mozilla\firefox\profiles\ep4vswg1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoofinance.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 459728]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-6-2 89368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-2 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-2 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-6-2 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-2 148520]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2009-3-19 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2011-4-11 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2011-4-11 185640]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-6-2 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-6-2 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-2 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-6-2 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-6-2 83688]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-4-1 67400]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-6-2 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-2 85984]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-08-10 23:14:52 -------- d-----w- c:\program files\common files\HP
2011-08-09 00:16:03 -------- d-----w- c:\documents and settings\jon\application data\ElevatedDiagnostics
2011-08-08 15:11:39 635392 ----a-w- c:\windows\system32\authorize.dll
2011-08-08 15:11:39 -------- d-----w- c:\program files\Elemental Trader 1.5
2011-08-08 15:04:01 -------- d-----w- C:\ElemTrader
2011-07-23 17:00:19 24376 ---ha-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
2011-07-15 06:43:19 -------- d-----w- C:\Harricharin
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-18 15:55:58 0 ---ha-w- c:\documents and settings\jon\jvvpmdtqrd.tmp
2011-06-11 10:47:08 743760 ----a-w- c:\windows\system32\msvcp100d.dll
2011-06-11 10:47:08 1505104 ----a-w- c:\windows\system32\msvcr100d.dll
2011-06-11 10:41:04 7124816 ----a-w- c:\windows\system32\mfc100ud.dll
2011-06-11 10:41:04 7055696 ----a-w- c:\windows\system32\mfc100d.dll
2011-06-11 10:41:04 105296 ----a-w- c:\windows\system32\mfcm100ud.dll
2011-06-11 10:41:04 103760 ----a-w- c:\windows\system32\mfcm100d.dll
2011-06-11 10:32:40 87888 ----a-w- c:\windows\system32\vcomp100d.dll
2011-06-02 14:07:35 1867904 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:20:26.98 ===============

END DDS.TXT
=================================================

ATTACH.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/24/2009 11:44:16 PM
System Uptime: 8/11/2011 7:59:37 AM (9 hours ago)
.
Motherboard: Dell Inc. | | 0G679R
Processor: Pentium® Dual-Core CPU E5200 @ 2.50GHz | Socket 775 | 2493/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 234.729 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP730: 6/11/2011 11:57:45 PM - System Checkpoint
RP731: 6/13/2011 12:43:43 AM - System Checkpoint
RP732: 6/14/2011 7:58:53 AM - System Checkpoint
RP733: 6/15/2011 9:49:36 AM - System Checkpoint
RP734: 6/16/2011 9:52:07 AM - System Checkpoint
RP735: 6/16/2011 12:41:53 PM - Software Distribution Service 3.0
RP736: 6/17/2011 1:37:15 PM - System Checkpoint
RP737: 6/18/2011 6:52:00 PM - Removed VectorVest 7.
RP738: 6/18/2011 7:34:42 PM - Removed VectorVest 7.
RP739: 6/18/2011 7:38:43 PM - Installed VectorVest 7.
RP740: 6/18/2011 9:46:08 PM - Removed VectorVest 7.
RP741: 6/18/2011 9:57:00 PM - Restore Operation
RP742: 6/20/2011 12:20:03 AM - System Checkpoint
RP743: 6/21/2011 11:47:56 AM - System Checkpoint
RP744: 6/22/2011 12:12:15 PM - System Checkpoint
RP745: 6/23/2011 12:31:40 PM - System Checkpoint
RP746: 6/24/2011 1:55:22 PM - System Checkpoint
RP747: 6/25/2011 6:15:24 PM - System Checkpoint
RP748: 6/26/2011 7:21:37 PM - System Checkpoint
RP749: 6/27/2011 7:45:54 PM - System Checkpoint
RP750: 6/28/2011 10:00:50 PM - System Checkpoint
RP751: 6/29/2011 4:12:51 PM - Software Distribution Service 3.0
RP752: 6/29/2011 11:57:31 PM - Software Distribution Service 3.0
RP753: 7/1/2011 11:04:47 AM - System Checkpoint
RP754: 7/2/2011 11:19:47 AM - System Checkpoint
RP755: 7/3/2011 1:58:09 PM - System Checkpoint
RP756: 7/4/2011 2:37:38 PM - System Checkpoint
RP757: 7/5/2011 3:04:35 PM - System Checkpoint
RP758: 7/6/2011 3:55:06 PM - System Checkpoint
RP759: 7/7/2011 8:24:56 PM - System Checkpoint
RP760: 7/8/2011 9:44:00 PM - System Checkpoint
RP761: 7/9/2011 10:15:13 PM - System Checkpoint
RP762: 7/11/2011 9:17:50 AM - System Checkpoint
RP763: 7/12/2011 9:53:35 AM - System Checkpoint
RP764: 7/12/2011 11:06:55 PM - Software Distribution Service 3.0
RP765: 7/13/2011 11:23:19 PM - System Checkpoint
RP766: 7/15/2011 7:37:49 AM - System Checkpoint
RP767: 7/16/2011 11:16:24 AM - Removed VectorVest 7.
RP768: 7/17/2011 12:17:56 PM - System Checkpoint
RP769: 7/18/2011 1:13:06 PM - System Checkpoint
RP770: 7/19/2011 1:52:59 PM - System Checkpoint
RP771: 7/20/2011 3:47:11 PM - System Checkpoint
RP772: 7/22/2011 10:11:10 AM - System Checkpoint
RP773: 7/23/2011 12:32:44 AM - Removed Apple Application Support
RP774: 7/24/2011 2:14:40 AM - System Checkpoint
RP775: 7/25/2011 3:56:40 PM - System Checkpoint
RP776: 7/27/2011 12:35:17 AM - System Checkpoint
RP777: 7/28/2011 11:23:55 AM - System Checkpoint
RP778: 7/29/2011 11:48:30 AM - System Checkpoint
RP779: 7/30/2011 7:49:43 PM - System Checkpoint
RP780: 7/31/2011 8:29:21 PM - System Checkpoint
RP781: 8/1/2011 9:15:09 PM - System Checkpoint
RP782: 8/2/2011 10:14:12 PM - System Checkpoint
RP783: 8/4/2011 8:16:40 AM - System Checkpoint
RP784: 8/5/2011 10:21:34 AM - System Checkpoint
RP785: 8/6/2011 10:25:23 AM - System Checkpoint
RP786: 8/7/2011 6:27:19 PM - System Checkpoint
RP787: 8/8/2011 5:56:56 PM - Software Distribution Service 3.0
RP788: 8/8/2011 6:13:50 PM - Removed HP Photosmart Essential
RP789: 8/9/2011 9:46:37 PM - System Checkpoint
RP790: 8/10/2011 1:17:23 AM - Software Distribution Service 3.0
RP791: 8/11/2011 1:25:19 AM - System Checkpoint
.
==== Installed Programs ======================
.
.
32 Bit HP CIO Components Installer
5700_Help
Acrobat.com
Actiontec Gateway
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5
AppDev Learning to Program in Visual Csharp 2005 Samples
Apple Software Update
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
BufferChm
ClientTools
Compatibility Pack for the 2007 Office system
CustomerResearchQFolder
Dell DataSafe Online
Dell Driver Reset Tool
Dell Support Center (Support Software)
deskPDF 2.5 Standard Edition
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
Docudesk GPL Ghostscript 8.15
Elemental Trader 1.5
eSupportQFolder
eyeQ
Free CD Ripper 3.1
Freecorder 4
GoToAssist 8.0.0.514
GoToMeeting 4.5.0.457
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2010 Express - ENU (KB2565057)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Officejet All-In-One Series
HP Photosmart Essential
HP Solution Center 7.0
HP Update
HPProductAssistant
IIS 7.5 Express
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
iSEEK AnswerWorks English Runtime
J5700
Java™ 6 Update 11
Junk Mail filter update
MarketResearch
McAfee SecurityCenter
McAfee Virtual Technician
MemoriesOnWeb 3.1.7
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - VWD Express 2010 Tools
Microsoft ASP.NET MVC 3
Microsoft ASP.NET MVC 3 - VWD Express 2010 Tools Update
Microsoft ASP.NET Web Pages
Microsoft ASP.NET Web Pages - VWD Express 2010 Tools
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Help Viewer 1.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft Silverlight 4 SDK
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Native Client
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Compact 4.0 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C# 2010 Express - ENU
Microsoft Visual C++ Compilers 2010 Standard - enu - x86
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219
Microsoft Visual C++ 2010 Express - ENU
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
Microsoft Visual Web Developer 2010 Express - ENU
Microsoft Web Deploy 2.0
Microsoft Web Platform Installer 3.0
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Works
Mozilla Firefox 5.0.1 (x86 en-US)
MSN
MSVCRT
NuGet
OCR Software by I.R.I.S 7.0
OGA Notifier 2.0.0048.0
Option Master® Deluxe (Demo)
PKZIP for Windows 12.51.0004
ProductContext
QuickConnect
QuickTime
Qwest Installer
Qwest QuickAssist Desktop Tools
Qwest Quickcare 2.7
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB2251487)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976323)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Service Pack 1 for SQL Server 2008 (KB968369)
Shiretoko (3.5)
SolutionCenter
Sql Server Customer Experience Improvement Program
Status
StockFinder 5.0
TC2000 v11
TeleChart 2007
thinkorswim
Toolbox
TrayApp
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VectorVest 7
Visual Studio 2010 SP1 Tools for SQL Server Compact 4.0 ENU
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
WCF RIA Services V1.0 SP1
Web Deployment Tool
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows Presentation Foundation
Windows Search 4.0
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
8/9/2011 6:58:11 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Scanner service to connect.
8/9/2011 6:58:11 PM, error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/9/2011 6:58:11 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
8/9/2011 6:56:25 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 a6686823.
8/9/2011 6:53:05 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'mcods000.log' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
8/9/2011 6:42:13 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
8/9/2011 6:41:53 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
8/9/2011 6:41:53 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
8/9/2011 6:41:53 PM, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/9/2011 6:41:53 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/9/2011 6:41:53 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/9/2011 6:41:53 PM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/9/2011 6:41:53 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/9/2011 6:41:53 PM, error: Service Control Manager [7031] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/9/2011 5:06:50 AM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: The path specified cannot be used at this time.
8/9/2011 1:13:16 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
8/8/2011 5:22:34 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/8/2011 5:22:34 PM, error: Service Control Manager [7022] - The Web Deployment Agent Service service hung on starting.
8/8/2011 5:17:44 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 5 time(s).
8/8/2011 5:16:07 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 4 time(s).
8/8/2011 3:10:16 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
8/8/2011 3:09:08 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/8/2011 3:08:16 PM, error: Service Control Manager [7023] - The Web Deployment Agent Service service terminated with the following error: %%2148734208
8/8/2011 3:08:09 PM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:80. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
8/10/2011 8:10:26 AM, error: PlugPlayManager [12] - The device 'HL-DT-ST DVD+-RW GH30N' (IDE\CdRomHL-DT-ST_DVD+-RW_GH30N__________________A102____\5&384a886&0&0.0.0) disappeared from the system without first being prepared for removal.
.
==== End Of File ===========================

END ATTACH.txt
============================================

Report.txt From RKUnHooker

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8EAC000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5763072 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA8190000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4550656 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF1F2000 C:\WINDOWS\System32\igxpdx32.DLL 2732032 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1871872 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1871872 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04E000 C:\WINDOWS\System32\igxpdv32.DLL 1720320 bytes (Intel Corporation, Component GHAL Driver)
0xB9E44000 iaStor.sys 815104 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xB9D00000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA6A33000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9DA4000 mfehidk.sys 450560 bytes (McAfee, Inc., McAfee Link Driver)
0xB8CA4000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA6B53000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9D331000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB8D32000 C:\WINDOWS\system32\drivers\mfefirek.sys 331776 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xBF48D000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB8E57000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 266240 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0x9BE3F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB8D02000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9D51B000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9CD3000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9AD83000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA6AA3000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 172032 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB8D83000 C:\WINDOWS\system32\drivers\mfeavfk.sys 172032 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xB8E0B000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA6AF0000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA6B18000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x9ADD6000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA816C000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8E33000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8DE8000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA6ACE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134528 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E24000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0x9C362000 C:\WINDOWS\system32\drivers\mfeapfk.sys 114688 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB9CB9000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9D5D3000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9D8D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8DBE000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA6B3E000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 86016 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0x9D596000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8E98000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA6BAC000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB8DD5000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 77824 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9E12000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8DAD000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA1A8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB94BB000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA2E8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB94AB000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA76B7000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x9CB81000 C:\WINDOWS\system32\drivers\cfwids.sys 53248 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0x9C7C4000 C:\WINDOWS\system32\drivers\mfebopk.sys 53248 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xB949B000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB947B000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA6C1F000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB948B000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB943B000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB945B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0x9AE57000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB946B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA6C2F000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xA6C0F000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA6CCC000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA460000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA468000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x9D7C2000 C:\DOCUME~1\Jon\LOCALS~1\Temp\mbr.sys 28672 bytes
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA498000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA4A0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA458000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA6CDC000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA6CD4000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA488000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA490000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA480000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA450000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA6D7C000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9C95000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA2447000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA5271000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9C49000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB8C84000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB985F000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA588000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9C61000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA620000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5F6000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA61E000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA622000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA624000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA64E000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA654000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA74D000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA745000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7C9000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x8B18CA91 Unknown page with executable code, 1391 bytes
0x8B18F860 Unknown page with executable code, 1952 bytes
0x8B18F781 Unknown page with executable code, 2175 bytes
0x8B191718 Unknown page with executable code, 2280 bytes
0x8B1915B1 Unknown page with executable code, 2639 bytes
0x8B18B288 Unknown page with executable code, 3448 bytes
0x8B18D191 Unknown page with executable code, 3695 bytes
0xBA0C8000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x8B18FE7A Unknown thread object [ ETHREAD 0x8B203478 ] TID: 140, 600 bytes
0x8B192008 Unknown thread object [ ETHREAD 0x8B204020 ] TID: 144, 600 bytes
0x8B191CDC Unknown page with executable code, 804 bytes


END RKUNHOOKER and all logs

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:06 AM

Posted 11 August 2011 - 07:15 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 jcomp101

jcomp101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 12 August 2011 - 02:44 AM

I ran ComboFix as instructed. At first the anti-virus was not disabled, but I fixed that and ComboFix proceeded without incident. It did request to connect to the internet for Windows Restore Point. I was reluctant to do that with no anti-virus, but everything seemed to go well. I have attached the log. Unfortunately, the browser redirect is still there, although the very first time it was not. It continues to work(not redirect) on the 4th attempt. The printer is working fine as previously discussed. Here is the ComboFix Log:


ComboFix 11-08-11.06 - Jon 08/11/2011 23:52:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.1783 [GMT -7:00]
Running from: c:\documents and settings\Jon\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jon\Application Data\Adobe\plugs
c:\documents and settings\Jon\Application Data\Adobe\plugs\mmc85.exe
c:\documents and settings\Jon\Application Data\Adobe\shed
c:\documents and settings\Jon\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\Jon\Application Data\avdrn.dat
c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\ep4vswg1.default\extensions\{7646ffeb-2a44-45d6-9ea1-fedfe709cd42}
c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\ep4vswg1.default\extensions\{7646ffeb-2a44-45d6-9ea1-fedfe709cd42}\chrome.manifest
c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\ep4vswg1.default\extensions\{7646ffeb-2a44-45d6-9ea1-fedfe709cd42}\chrome\xulcache.jar
c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\ep4vswg1.default\extensions\{7646ffeb-2a44-45d6-9ea1-fedfe709cd42}\defaults\preferences\xulcache.js
c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\ep4vswg1.default\extensions\{7646ffeb-2a44-45d6-9ea1-fedfe709cd42}\install.rdf
c:\documents and settings\Jon\Desktop\Setup.exe
c:\documents and settings\Jon\g2mdlhlpx.exe
c:\documents and settings\Jon\jvvpmdtqrd.tmp
c:\documents and settings\Jon\Start Menu\Programs\Windows XP Restore
c:\documents and settings\Jon\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\Jon\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
c:\documents and settings\Jon\WINDOWS
c:\windows\AutoRun.ini
c:\windows\ST6UNST.000
c:\windows\system32\Cache
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-07-12 to 2011-08-12 )))))))))))))))))))))))))))))))
.
.
2011-08-12 05:56 . 2011-08-12 06:33 -------- d-----w- C:\Poulos
2011-08-10 23:17 . 2011-08-10 23:19 -------- d-----w- c:\documents and settings\Jon\Application Data\Image Zone Express
2011-08-10 23:14 . 2011-08-10 23:14 -------- d-----w- c:\program files\Common Files\HP
2011-08-09 00:16 . 2011-08-09 00:16 -------- d-----w- c:\documents and settings\Jon\Application Data\ElevatedDiagnostics
2011-08-08 15:11 . 2011-08-08 15:11 -------- d-----w- c:\program files\Elemental Trader 1.5
2011-08-08 15:11 . 2011-03-04 01:55 635392 ----a-w- c:\windows\system32\authorize.dll
2011-08-08 15:04 . 2011-08-08 15:04 -------- d-----w- C:\ElemTrader
2011-07-23 17:00 . 2011-03-13 18:42 24376 ---ha-w- c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
2011-07-15 06:43 . 2011-07-15 06:43 -------- d-----w- C:\Harricharin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-25 16:16 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-04-25 21:26 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-25 16:16 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 19:50 . 2009-12-23 09:48 187328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll
2011-06-16 19:50 . 2009-12-23 09:47 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-06-11 10:47 . 2011-06-11 10:47 743760 ----a-w- c:\windows\system32\msvcp100d.dll
2011-06-11 10:47 . 2011-06-11 10:47 1505104 ----a-w- c:\windows\system32\msvcr100d.dll
2011-06-11 10:41 . 2011-06-11 10:41 7124816 ----a-w- c:\windows\system32\mfc100ud.dll
2011-06-11 10:41 . 2011-06-11 10:41 7055696 ----a-w- c:\windows\system32\mfc100d.dll
2011-06-11 10:41 . 2011-06-11 10:41 105296 ----a-w- c:\windows\system32\mfcm100ud.dll
2011-06-11 10:41 . 2011-06-11 10:41 103760 ----a-w- c:\windows\system32\mfcm100d.dll
2011-06-11 10:32 . 2011-06-11 10:32 87888 ----a-w- c:\windows\system32\vcomp100d.dll
2011-06-11 08:58 . 2011-06-11 08:58 81744 ----a-w- c:\windows\system32\mfcm100u.dll
2011-06-11 08:58 . 2011-06-11 08:58 81744 ----a-w- c:\windows\system32\mfcm100.dll
2011-06-11 08:58 . 2011-06-11 08:58 773968 ----a-w- c:\windows\system32\msvcr100.dll
2011-06-11 08:58 . 2011-06-11 08:58 64336 ----a-w- c:\windows\system32\mfc100fra.dll
2011-06-11 08:58 . 2011-06-11 08:58 64336 ----a-w- c:\windows\system32\mfc100deu.dll
2011-06-11 08:58 . 2011-06-11 08:58 63824 ----a-w- c:\windows\system32\mfc100esn.dll
2011-06-11 08:58 . 2011-06-11 08:58 62288 ----a-w- c:\windows\system32\mfc100ita.dll
2011-06-11 08:58 . 2011-06-11 08:58 60752 ----a-w- c:\windows\system32\mfc100rus.dll
2011-06-11 08:58 . 2011-06-11 08:58 55120 ----a-w- c:\windows\system32\mfc100enu.dll
2011-06-11 08:58 . 2011-06-11 08:58 51024 ----a-w- c:\windows\system32\vcomp100.dll
2011-06-11 08:58 . 2011-06-11 08:58 4422992 ----a-w- c:\windows\system32\mfc100u.dll
2011-06-11 08:58 . 2011-06-11 08:58 4397384 ----a-w- c:\windows\system32\mfc100.dll
2011-06-11 08:58 . 2011-06-11 08:58 43856 ----a-w- c:\windows\system32\mfc100jpn.dll
2011-06-11 08:58 . 2011-06-11 08:58 43344 ----a-w- c:\windows\system32\mfc100kor.dll
2011-06-11 08:58 . 2011-06-11 08:58 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-06-11 08:58 . 2011-06-11 08:58 36176 ----a-w- c:\windows\system32\mfc100cht.dll
2011-06-11 08:58 . 2011-06-11 08:58 36176 ----a-w- c:\windows\system32\mfc100chs.dll
2011-06-11 08:58 . 2011-06-11 08:58 138056 ----a-w- c:\windows\system32\atl100.dll
2011-06-02 14:07 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-05-26 16:24 . 2011-05-01 19:27 565248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-05-26 16:13 . 2011-05-01 02:34 188128 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2011-05-26 16:07 . 2011-05-04 22:46 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2011-07-08 07:16 . 2011-07-23 08:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-21 136600]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QwestTouchPointAgent"="c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe" [2011-01-25 45992]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2010-01-16 206120]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-23 1306728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2011-5-3 323584]
PKZIP Attachments Status.lnk - c:\program files\PKWARE\PKZIPM\12.51.0004\PKTray.exe [2009-6-27 305488]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-21 16:20 10536 ---ha-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/2/2011 10:19 AM 89368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/2/2011 10:19 AM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/2/2011 10:19 AM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/2/2011 10:19 AM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [6/2/2011 10:19 AM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/2/2011 9:54 AM 148520]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [3/19/2009 2:07 PM 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [4/11/2011 10:30 PM 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [4/11/2011 10:30 PM 185640]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [6/2/2011 10:19 AM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [6/2/2011 10:19 AM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [6/2/2011 10:19 AM 83688]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 8:17 PM 67400]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [6/2/2011 10:19 AM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/2/2011 10:19 AM 85984]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 8:08 PM 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BLACKBOX
*Deregistered* - BlackBox
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\ep4vswg1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoofinance.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-3Z1Y3ZXH5C1H8B9XH - c:\usxxxxxxxx\usxxxxxxxx.exe
HKCU-Run-vGJlwIuWtiWKYpr - c:\documents and settings\All Users\Application Data\vGJlwIuWtiWKYpr.exe
HKCU-Run-aNltCtwlp9e6 - c:\docume~1\ALLUSE~1\APPLIC~1\aNltCtwlp9e6.exe
AddRemove-McAfee Virtual Technician - c:\program files\McAfee\Supportability\MVT\MVTInstaller.exe
AddRemove-4279642686.www.tc2000.com - c:\program files\Microsoft Silverlight\4.0.51204.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-11 23:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1072)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\msacm32.drv
.
Completion time: 2011-08-11 23:59:21
ComboFix-quarantined-files.txt 2011-08-12 06:59
.
Pre-Run: 251,252,486,144 bytes free
Post-Run: 253,508,108,288 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7A3B80DBECC2F44D267F2DAE74C57FE2

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:06 AM

Posted 12 August 2011 - 02:48 AM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 jcomp101

jcomp101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 12 August 2011 - 05:06 PM

Wow that fixed the issue! I googled results about 20 times before I wrote you, and didn't get one redirect. Thanks a million! The first time I ran TDSSKiller, it detected an infection. I followed your instructions, and clicked continue.
After the reboot, I ran the tool again, this time no infections. Then I tried using the browser as described. I REALLY appreciate your help. You people are doing a great service! Below is the final log. Thanks again!


2011/08/12 14:44:47.0343 4724 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
2011/08/12 14:44:48.0125 4724 ================================================================================
2011/08/12 14:44:48.0125 4724 SystemInfo:
2011/08/12 14:44:48.0125 4724
2011/08/12 14:44:48.0125 4724 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/12 14:44:48.0125 4724 Product type: Workstation
2011/08/12 14:44:48.0125 4724 ComputerName: DELL2009XP
2011/08/12 14:44:48.0125 4724 UserName: Jon
2011/08/12 14:44:48.0125 4724 Windows directory: C:\WINDOWS
2011/08/12 14:44:48.0125 4724 System windows directory: C:\WINDOWS
2011/08/12 14:44:48.0125 4724 Processor architecture: Intel x86
2011/08/12 14:44:48.0125 4724 Number of processors: 2
2011/08/12 14:44:48.0125 4724 Page size: 0x1000
2011/08/12 14:44:48.0125 4724 Boot type: Normal boot
2011/08/12 14:44:48.0125 4724 ================================================================================
2011/08/12 14:44:49.0296 4724 Initialize success
2011/08/12 14:44:51.0609 4792 ================================================================================
2011/08/12 14:44:51.0609 4792 Scan started
2011/08/12 14:44:51.0609 4792 Mode: Manual;
2011/08/12 14:44:51.0609 4792 ================================================================================
2011/08/12 14:44:52.0703 4792 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/08/12 14:44:52.0750 4792 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/12 14:44:52.0781 4792 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/12 14:44:52.0812 4792 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/08/12 14:44:52.0875 4792 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/12 14:44:52.0906 4792 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/12 14:44:52.0937 4792 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/08/12 14:44:52.0953 4792 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/08/12 14:44:52.0968 4792 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/08/12 14:44:52.0984 4792 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/08/12 14:44:53.0000 4792 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/08/12 14:44:53.0031 4792 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/08/12 14:44:53.0046 4792 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/08/12 14:44:53.0078 4792 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/08/12 14:44:53.0093 4792 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/08/12 14:44:53.0109 4792 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/08/12 14:44:53.0125 4792 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/08/12 14:44:53.0140 4792 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/08/12 14:44:53.0187 4792 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/12 14:44:53.0203 4792 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/12 14:44:53.0234 4792 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/12 14:44:53.0265 4792 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/12 14:44:53.0281 4792 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/12 14:44:53.0421 4792 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/08/12 14:44:53.0421 4792 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/12 14:44:53.0437 4792 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/08/12 14:44:53.0453 4792 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/12 14:44:53.0468 4792 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/12 14:44:53.0484 4792 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/12 14:44:53.0500 4792 cfwids (ecaf4a51580244fef1aa32cb984f13bf) C:\WINDOWS\system32\drivers\cfwids.sys
2011/08/12 14:44:53.0546 4792 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/08/12 14:44:53.0578 4792 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/08/12 14:44:53.0593 4792 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/08/12 14:44:53.0593 4792 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/08/12 14:44:53.0609 4792 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/12 14:44:53.0656 4792 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/12 14:44:53.0687 4792 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/12 14:44:53.0703 4792 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/12 14:44:53.0718 4792 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/12 14:44:53.0734 4792 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/08/12 14:44:53.0765 4792 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/12 14:44:53.0796 4792 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/08/12 14:44:53.0812 4792 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/12 14:44:53.0843 4792 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/12 14:44:53.0859 4792 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/12 14:44:53.0875 4792 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/08/12 14:44:53.0890 4792 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/12 14:44:53.0906 4792 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/12 14:44:53.0921 4792 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/12 14:44:53.0937 4792 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/12 14:44:53.0953 4792 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/12 14:44:53.0968 4792 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/12 14:44:53.0984 4792 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/08/12 14:44:54.0031 4792 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/08/12 14:44:54.0109 4792 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/08/12 14:44:54.0140 4792 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/08/12 14:44:54.0203 4792 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/12 14:44:54.0421 4792 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/08/12 14:44:54.0484 4792 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/08/12 14:44:54.0640 4792 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/08/12 14:44:54.0828 4792 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys
2011/08/12 14:44:54.0859 4792 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/12 14:44:54.0890 4792 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/08/12 14:44:55.0031 4792 IntcAzAudAddService (17bbbabb21f86b650b2626045a9d016c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/12 14:44:55.0078 4792 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/12 14:44:55.0093 4792 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/12 14:44:55.0125 4792 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/12 14:44:55.0140 4792 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/12 14:44:55.0156 4792 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/12 14:44:55.0171 4792 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/12 14:44:55.0187 4792 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/12 14:44:55.0203 4792 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/12 14:44:55.0250 4792 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/12 14:44:55.0250 4792 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/12 14:44:55.0312 4792 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/12 14:44:55.0343 4792 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/12 14:44:55.0453 4792 mfeapfk (688b626fca708ee9eb161cad1f7363a9) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/08/12 14:44:55.0500 4792 mfeavfk (693a8d924b640223974e0a88f2baf0f4) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/08/12 14:44:55.0546 4792 mfebopk (52c40d19873528bd15823c969d3ad227) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/08/12 14:44:55.0578 4792 mfefirek (e37b98d49df546f4059483d49e349a53) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/08/12 14:44:55.0593 4792 mfehidk (44184f32392fa2e94d08d056ce750d56) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/08/12 14:44:55.0625 4792 mfendisk (8c434d77c7a8cd97f8f4c2b0be19d541) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/08/12 14:44:55.0640 4792 mfendiskmp (8c434d77c7a8cd97f8f4c2b0be19d541) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/08/12 14:44:55.0656 4792 mferkdet (5f5313bfd1e73233885a26ab77488f6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/08/12 14:44:55.0750 4792 mfetdi2k (8d1a44e1f46bcf4acfe9c701edd340e3) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/08/12 14:44:55.0765 4792 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/12 14:44:55.0781 4792 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/12 14:44:55.0781 4792 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/12 14:44:55.0812 4792 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/12 14:44:55.0828 4792 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/12 14:44:55.0843 4792 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/08/12 14:44:55.0875 4792 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/12 14:44:55.0921 4792 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/12 14:44:55.0968 4792 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/12 14:44:56.0000 4792 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/12 14:44:56.0015 4792 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/12 14:44:56.0031 4792 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/12 14:44:56.0046 4792 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/12 14:44:56.0078 4792 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/12 14:44:56.0093 4792 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/12 14:44:56.0125 4792 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/12 14:44:56.0140 4792 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/12 14:44:56.0156 4792 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/12 14:44:56.0171 4792 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/12 14:44:56.0187 4792 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/12 14:44:56.0203 4792 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/12 14:44:56.0234 4792 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/12 14:44:56.0281 4792 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/12 14:44:56.0328 4792 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/12 14:44:56.0343 4792 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/12 14:44:56.0359 4792 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/12 14:44:56.0375 4792 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/12 14:44:56.0390 4792 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/12 14:44:56.0421 4792 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/12 14:44:56.0437 4792 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/12 14:44:56.0468 4792 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/12 14:44:56.0500 4792 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/12 14:44:56.0562 4792 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/08/12 14:44:56.0609 4792 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/08/12 14:44:56.0640 4792 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/12 14:44:56.0671 4792 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/12 14:44:56.0703 4792 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/12 14:44:56.0734 4792 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/12 14:44:56.0750 4792 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/08/12 14:44:56.0765 4792 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/08/12 14:44:56.0765 4792 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/08/12 14:44:56.0781 4792 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/08/12 14:44:56.0796 4792 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/08/12 14:44:56.0812 4792 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/12 14:44:56.0828 4792 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/12 14:44:56.0859 4792 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/12 14:44:56.0859 4792 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/12 14:44:56.0906 4792 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/12 14:44:56.0906 4792 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/12 14:44:56.0937 4792 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/12 14:44:57.0000 4792 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/12 14:44:57.0031 4792 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/12 14:44:57.0093 4792 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
2011/08/12 14:44:57.0140 4792 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/12 14:44:57.0171 4792 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/12 14:44:57.0218 4792 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/12 14:44:57.0250 4792 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/08/12 14:44:57.0265 4792 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/08/12 14:44:57.0296 4792 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/12 14:44:57.0328 4792 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/12 14:44:57.0375 4792 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/12 14:44:57.0406 4792 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/12 14:44:57.0421 4792 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/12 14:44:57.0437 4792 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/08/12 14:44:57.0453 4792 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/08/12 14:44:57.0468 4792 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/08/12 14:44:57.0484 4792 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/08/12 14:44:57.0500 4792 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/12 14:44:57.0546 4792 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/12 14:44:57.0562 4792 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/12 14:44:57.0578 4792 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/12 14:44:57.0609 4792 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/12 14:44:57.0656 4792 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/08/12 14:44:57.0671 4792 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/12 14:44:57.0703 4792 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/08/12 14:44:57.0718 4792 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/12 14:44:57.0765 4792 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/12 14:44:57.0796 4792 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/12 14:44:57.0812 4792 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/12 14:44:57.0843 4792 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/12 14:44:57.0859 4792 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/12 14:44:57.0906 4792 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/12 14:44:57.0921 4792 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/12 14:44:57.0937 4792 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/08/12 14:44:57.0953 4792 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/12 14:44:57.0968 4792 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/08/12 14:44:58.0000 4792 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/08/12 14:44:58.0031 4792 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/12 14:44:58.0078 4792 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/12 14:44:58.0109 4792 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/12 14:44:58.0234 4792 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/12 14:44:58.0250 4792 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/12 14:44:58.0312 4792 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/08/12 14:44:58.0328 4792 Boot (0x1200) (9762f8eb624eaa8464dd8daf472f6da0) \Device\Harddisk0\DR0\Partition0
2011/08/12 14:44:58.0328 4792 ================================================================================
2011/08/12 14:44:58.0328 4792 Scan finished
2011/08/12 14:44:58.0328 4792 ================================================================================
2011/08/12 14:44:58.0343 4784 Detected object count: 0
2011/08/12 14:44:58.0343 4784 Actual detected object count: 0

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:06 AM

Posted 12 August 2011 - 07:42 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.5

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 jcomp101

jcomp101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 13 August 2011 - 06:06 PM

I have completed all steps requested, I believe. I ran the tools and posted the logs below. The Malware tool did find another infection and removed it. The computer seems to be working fine, as it was the last time, but I'm glad we got rid of one more infection. I hadn't updated Java for a while because previously I'd had a tool bar that caused some problems. Also today, I ran the Malware tool again (no infections). However the first time it locked everything up. I couldn't do anything, even though I just repeated what I did before. After disconnecting from the internet, thankfully everything started working again. Windows Messenger can be a real pain too. I plan to periodically run the Malware tool to check for things my regular anti-virus doesn't seem to find. Thanks again for all your help.


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7452

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/12/2011 8:57:11 PM
mbam-log-2011-08-12 (20-57-11).txt

Scan type: Quick scan
Objects scanned: 188302
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\usxxxxxxxx (Trojan.SpyEyes) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


==========================================================================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:00:59 PM, on 8/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\PKWARE\PKZIPM\12.51.0004\PKTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jon\My Documents\Downloads\Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/USCON/1
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110723100019.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QwestTouchPointAgent] "C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe" /autostart
O4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare
O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\12.51.0004\PKTray.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (quickcare) (sprtsvc_quickcare) - SupportSoft, Inc. - C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (quickcare) (tgsrvc_quickcare) - SupportSoft, Inc. - C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe

--
End of file - 11733 bytes

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:06 AM

Posted 13 August 2011 - 06:42 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
      O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 jcomp101

jcomp101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 15 August 2011 - 03:53 PM

I removed the registry entries as you suggested. At first it appeared the computer locked up on boot up after removing them, but I might have just reacted too early. It seems fine now, and does boot up quicker. I've attached the ESET log. I believe it found about 11 threats, I didn't delete them per your instructions. You are doing a great job, I have control over my machine again.


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9066467fc41f314ea58379bf85781879
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-15 06:56:46
# local_time=2011-08-14 11:56:46 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777189 100 75 1853728 13753485 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=302923
# found=11
# cleaned=0
# scan_time=10584
C:\Qoobox\Quarantine\C\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\ep4vswg1.default\extensions\{7646ffeb-2a44-45d6-9ea1-fedfe709cd42}\chrome\xulcache.jar.vir JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP736\A0143766.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP736\A0144589.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP736\A0144769.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP737\A0144944.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP738\A0148579.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP739\A0148601.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP740\A0148977.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP741\A0149949.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP773\A0222102.exe probably a variant of MSIL/Agent.NGQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP782\A0248186.exe a variant of Win32/Kryptik.REU trojan (unable to clean) 00000000000000000000000000000000 I

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:06 AM

Posted 15 August 2011 - 04:28 PM

Hello

The Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jcomp101

jcomp101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 17 August 2011 - 01:23 AM

Followed all steps. Machine is running fine. Thank You!!

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:06 AM

Posted 17 August 2011 - 07:32 AM

You are most welcome


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users