Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender Problem


  • This topic is locked This topic is locked
8 replies to this topic

#1 dyjodapa

dyjodapa

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 23 April 2012 - 07:45 PM

Hi,

I started a topic earlier today on an error my friend was getting on his computer. It was a Windows Defender error. It read "Application failed to initialize:0x80070006. The handle is invalid." I was instructed by kisk to look under services and disable Windows Defender. Windows Defender was not there. So then he instructed me to follow the Malware Removal Log instructions. The whole topic is right here: http://www.bleepingcomputer.com/forums/topic451188.html/page__pid__2676271#entry2676271 . Here are my logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by Dylan at 19:14:03 on 2012-04-23
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.1004 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ParetoLogic\FileCure\FileCure.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\PC Speed Maximizer\SPMReminder.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20111251,16897,0,5,0
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.5.3\PriceGongIE.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Fast Search: {5ab7104a-b71f-49ad-9154-f7f8806ae848} - c:\program files\surf canyon\surfcanyon.dll
BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - c:\program files\common files\doubletwist\IEPodcastPlugin.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: Special Savings: {74f475fa-6c75-43bd-aab9-ecda6184f600} - c:\program files\superfish\special savings\SpecialSavings.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110801113639.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PC Speed Maximizer] c:\program files\pc speed maximizer\SPMLauncher.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [TaskTray]
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\superfish\special savings\SpecialSavings.dll
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0870FCDC-3EA9-42E0-8DFB-7213CC61B1C6} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 459728]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-2-10 64648]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-7-23 163400]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-2-10 54776]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2011-7-27 6656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-17 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-17 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-17 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-17 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-10 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-2-10 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-10 148520]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-1-24 229688]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-5-20 210144]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-2-10 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-10 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-10 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-10 337912]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-4 135664]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-4 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-10 85984]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-2-10 89368]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-04-04 20:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-14 17:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 19:14:58.70 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 2/2/2010 7:04:28 PM
System Uptime: 4/23/2012 5:52:55 PM (2 hours ago)
.
Motherboard: Dell Inc. | | 0RY007
Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | Socket 775 | 1800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 223 GiB total, 110.605 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.197 GiB free.
E: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_10C0&SUBSYS_020D1028&REV_02\3&2411E6FE&0&C8
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_10C0&SUBSYS_020D1028&REV_02\3&2411E6FE&0&C8
Service:
.
Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
Service:
.
==== System Restore Points ===================
.
RP1422: 3/26/2012 12:00:05 AM - Scheduled Checkpoint
RP1424: 3/27/2012 12:00:03 AM - Scheduled Checkpoint
RP1426: 3/28/2012 12:00:03 AM - Scheduled Checkpoint
RP1428: 3/29/2012 12:00:07 AM - Scheduled Checkpoint
RP1430: 3/30/2012 12:00:08 AM - Scheduled Checkpoint
RP1432: 3/31/2012 12:00:07 AM - Scheduled Checkpoint
RP1434: 4/1/2012 12:00:08 AM - Scheduled Checkpoint
RP1436: 4/2/2012 12:00:08 AM - Scheduled Checkpoint
RP1438: 4/3/2012 12:00:04 AM - Scheduled Checkpoint
RP1440: 4/4/2012 12:00:02 AM - Scheduled Checkpoint
RP1442: 4/5/2012 12:00:07 AM - Scheduled Checkpoint
RP1444: 4/6/2012 12:00:05 AM - Scheduled Checkpoint
RP1446: 4/7/2012 12:00:05 AM - Scheduled Checkpoint
RP1448: 4/9/2012 11:37:27 AM - Scheduled Checkpoint
RP1450: 4/10/2012 8:40:17 PM - Scheduled Checkpoint
RP1452: 4/11/2012 3:00:19 AM - Windows Update
RP1454: 4/12/2012 12:00:06 AM - Scheduled Checkpoint
RP1456: 4/13/2012 12:00:02 AM - Scheduled Checkpoint
RP1458: 4/14/2012 12:00:04 AM - Scheduled Checkpoint
RP1460: 4/23/2012 6:32:12 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.20
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.3
Adobe Shockwave Player 11.5
AGEIA PhysX v2.6.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Ask Toolbar Updater
ASPCA TriMini Reminder by We-Care.com v5.0.2.1
Bonjour
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Direct Show Ogg Vorbis Filter (remove only)
doubleTwist
Driver Performer
Fast Search
ffdshow [rev 2527] [2008-12-19]
FoxTab Media Player
Google Chrome
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IMVU Avatar Chat Software
Intel® Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java™ 6 Update 18
John Deere Drive Green
LEGO Universe
MagiQuest Online (remove only)
Mall Tycoon 3
Malwarebytes Anti-Malware version 1.61.0.1400
McAfee Online Backup
McAfee Security Scan Plus
McAfee Total Protection
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Easy Assist v2
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mini Ninjas 1.0
MSVCRT
OpenAL
ParetoLogic FileCure
PC Speed Maximizer v3.0
Plants vs. Zombies
PriceGong 2.5.3
Python 2.7.2
QuickTime
Real Detectives - Murder in Miami
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
Skype™ 4.2
Sonic 3D Blast
Special Savings
StartNow Toolbar
The Weather Channel Desktop 6
UCreate Games and Artimation
UK Truck Simulator 1.06
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update Installer for WildTangent Games App
WildTangent Games
WildTangent Games App
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
World Cup Cricket 20-20
Yahoo! Software Update
Yahoo! Toolbar
Yontoo Layers Runtime 1.10.01
Zoo Tycoon 2 - Ultimate Collection
.
==== Event Viewer Messages From Past Week ========
.
4/23/2012 5:53:11 PM, Error: EventLog [6008] - The previous system shutdown at 8:57:26 PM on 4/14/2012 was unexpected.
.
==== End Of File ===========================



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-23 19:38:20
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3250310AS rev.3.ADA
Running: 4v9n7v84.exe; Driver: C:\Users\Dylan\AppData\Local\Temp\pgloapow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x82A49D48]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x82A49D72]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x82A49D5E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x82A49D34]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8245D1A0 5 Bytes JMP 82A49D38 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 826192F0 5 Bytes JMP 82A49D76 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8265AAFE 7 Bytes JMP 82A49D4C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8265B155 5 Bytes JMP 82A49D62 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? C:\Users\Dylan\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\System32\svchost.exe[292] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00040FEF
.text C:\Windows\System32\svchost.exe[292] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00040FD4
.text C:\Windows\System32\svchost.exe[292] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 0004000A
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 000100BD
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00010F6D
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 000100E2
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00010F4B
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00010062
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00010025
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00010F88
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00010FAF
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 0001007D
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00010051
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00010036
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00010098
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 00010F3A
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00010FDE
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00010FEF
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00010014
.text C:\Windows\System32\svchost.exe[292] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00010F5C
.text C:\Windows\System32\svchost.exe[292] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00060FCD
.text C:\Windows\System32\svchost.exe[292] msvcrt.dll!system 75E38B63 5 Bytes JMP 00060058
.text C:\Windows\System32\svchost.exe[292] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[292] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[292] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00060FDE
.text C:\Windows\System32\svchost.exe[292] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 0006001D
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 0007007D
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00070051
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00070000
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00070062
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00070FC0
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00070036
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00070011
.text C:\Windows\System32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00070FE5
.text C:\Windows\system32\svchost.exe[444] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00910000
.text C:\Windows\system32\svchost.exe[444] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00910025
.text C:\Windows\system32\svchost.exe[444] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00900F29
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 0090006F
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 00900EE2
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00900EF3
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00900F55
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00900025
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00900F7C
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00900F9E
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 0090004A
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00900F8D
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00900FC3
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00900F44
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 00900EC7
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00900FDE
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00900014
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00900F04
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00880F9C
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!system 75E38B63 5 Bytes JMP 00880FB7
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00880FD2
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00880FE3
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00880027
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 0088000C
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 0089003D
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00890011
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00890FE5
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 0089002C
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00890F80
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00890FB9
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00890FD4
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00890000
.text C:\Windows\system32\svchost.exe[444] WS2_32.dll!socket 76C136D1 5 Bytes JMP 008F000A
.text C:\Windows\system32\svchost.exe[492] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 008C0FEF
.text C:\Windows\system32\svchost.exe[492] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 008C000A
.text C:\Windows\system32\svchost.exe[492] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 008C0FDE
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 008B0EE6
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 008B0F01
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 008B0EB0
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 008B0EC1
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 008B0F52
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 008B0FB9
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 008B0F63
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 008B001B
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 008B0F2D
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 008B002C
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 008B0F9E
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 008B0F12
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 008B0062
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 008B0FDB
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 008B0000
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 008B0FCA
.text C:\Windows\system32\svchost.exe[492] kernel32.dll!WinExec 773B580B 5 Bytes JMP 008B0047
.text C:\Windows\system32\svchost.exe[492] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00230055
.text C:\Windows\system32\svchost.exe[492] msvcrt.dll!system 75E38B63 5 Bytes JMP 00230044
.text C:\Windows\system32\svchost.exe[492] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00230FD4
.text C:\Windows\system32\svchost.exe[492] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[492] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00230029
.text C:\Windows\system32\svchost.exe[492] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00230FEF
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 00240076
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00240FD4
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00240000
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00240051
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00240FB9
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00240025
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00240FE5
.text C:\Windows\system32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00240036
.text C:\Windows\system32\svchost.exe[492] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00250000
.text C:\Windows\system32\services.exe[652] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00800FEF
.text C:\Windows\system32\services.exe[652] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00800025
.text C:\Windows\system32\services.exe[652] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 0080000A
.text C:\Windows\system32\services.exe[652] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00140F43
.text C:\Windows\system32\services.exe[652] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00140F54
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 001400C2
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00140F21
.text C:\Windows\system32\services.exe[652] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00140075
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00140036
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00140064
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00140047
.text C:\Windows\system32\services.exe[652] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00140F80
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00140FA5
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00140FC0
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00140F6F
.text C:\Windows\system32\services.exe[652] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 00140F10
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00140FEF
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 0014000A
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 0014001B
.text C:\Windows\system32\services.exe[652] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00140F32
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 00820F61
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00820F97
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00820FEF
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00820F7C
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 0082001E
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00820FB9
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00820FD4
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00820FA8
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 0081004E
.text C:\Windows\system32\services.exe[652] msvcrt.dll!system 75E38B63 5 Bytes JMP 00810033
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00810FDE
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00810FEF
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00810FC3
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00810018
.text C:\Windows\system32\services.exe[652] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00940000
.text C:\Windows\system32\lsass.exe[664] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\lsass.exe[664] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 001D0000
.text C:\Windows\system32\lsass.exe[664] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 001D0FD4
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 001B00D1
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 001B0F81
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 001B0F4E
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 001B0F5F
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 001B0F92
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 001B0025
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 001B006C
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 001B0040
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 001B0091
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 001B005B
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 001B0FB9
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 001B00AC
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 001B0F33
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 001B0000
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 001B0FD4
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!WinExec 773B580B 5 Bytes JMP 001B0F70
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 00CC0F76
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00CC0011
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00CC0FEF
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00CC0022
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00CC0F5B
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00CC0FB9
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00CC0FCA
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00CC0000
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00920047
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!system 75E38B63 5 Bytes JMP 00920FBC
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00920011
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00920FEF
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 0092002C
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00920000
.text C:\Windows\system32\lsass.exe[664] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00CD0000
.text C:\Windows\system32\svchost.exe[860] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 000D0000
.text C:\Windows\system32\svchost.exe[860] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 000D002C
.text C:\Windows\system32\svchost.exe[860] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 000D001B
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 000C00D5
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 000C00BA
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 000C0115
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 000C0104
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 000C008E
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 000C0040
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 000C007D
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 000C0FCA
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 000C0F99
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 000C006C
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 000C0051
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 000C00A9
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 000C0F6D
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 000C001B
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 000C000A
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 000C0FE5
.text C:\Windows\system32\svchost.exe[860] kernel32.dll!WinExec 773B580B 5 Bytes JMP 000C0F7E
.text C:\Windows\system32\svchost.exe[860] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 000E0078
.text C:\Windows\system32\svchost.exe[860] msvcrt.dll!system 75E38B63 5 Bytes JMP 000E005D
.text C:\Windows\system32\svchost.exe[860] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 000E0027
.text C:\Windows\system32\svchost.exe[860] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 000E0000
.text C:\Windows\system32\svchost.exe[860] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 000E0042
.text C:\Windows\system32\svchost.exe[860] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 000E0FE3
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 0017004A
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 0017002F
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 0017000A
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00170FA8
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00170F83
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00170FDE
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00170FEF
.text C:\Windows\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00170FB9
.text C:\Windows\system32\svchost.exe[860] WS2_32.dll!socket 76C136D1 5 Bytes JMP 001C0FE5
.text C:\Windows\system32\svchost.exe[924] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00690FE5
.text C:\Windows\system32\svchost.exe[924] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00690FC3
.text C:\Windows\system32\svchost.exe[924] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00690FD4
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00680F6D
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00680F7E
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 006800FA
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 006800DF
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00680073
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00680036
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00680FA5
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00680FC0
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 0068008E
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00680062
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00680047
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 006800A9
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 0068011F
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00680000
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00680FEF
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00680011
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!WinExec 773B580B 5 Bytes JMP 006800CE
.text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00720051
.text C:\Windows\system32\svchost.exe[924] msvcrt.dll!system 75E38B63 5 Bytes JMP 0072002C
.text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00720011
.text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00720000
.text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00720FBC
.text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00720FD7
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 00C70F86
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00C70FA1
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00C70FEF
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00C70028
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00C70043
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00C70FCD
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00C70FDE
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00C70FB2
.text C:\Windows\system32\svchost.exe[924] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00C80FEF
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00A90000
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00A90FCA
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00A90FE5
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00A000B1
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00A00096
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 00A00F49
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00A000D6
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00A00071
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00A00FB2
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00A00054
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00A00028
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00A00F86
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00A00039
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00A00FA1
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00A00F6B
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 00A00105
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00A00FD4
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00A00FEF
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00A00FC3
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00A00F5A
.text C:\Windows\System32\svchost.exe[1000] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 007D007A
.text C:\Windows\System32\svchost.exe[1000] msvcrt.dll!system 75E38B63 5 Bytes JMP 007D0FEF
.text C:\Windows\System32\svchost.exe[1000] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 007D003A
.text C:\Windows\System32\svchost.exe[1000] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 007D000C
.text C:\Windows\System32\svchost.exe[1000] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 007D0055
.text C:\Windows\System32\svchost.exe[1000] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 007D001D
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 00ED006C
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00ED0047
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00ED000A
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00ED0FCA
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00ED0FAF
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00ED001B
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00ED0FEF
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00ED0036
.text C:\Windows\System32\svchost.exe[1000] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00EE0FEF
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00080000
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00080036
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00080025
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00070F35
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00070F50
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 00070EF5
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00070096
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00070F8D
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00070FB9
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00070F9E
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00070040
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00070F72
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 0007005B
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 0007001B
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00070F61
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 000700A7
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00070000
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00070FE5
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00070FCA
.text C:\Windows\System32\svchost.exe[1012] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00070F1A
.text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00050F7F
.text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!system 75E38B63 5 Bytes JMP 00050FA4
.text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00050FB5
.text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00050FC6
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 00060036
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 0006001B
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00060FE5
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00060F8A
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00060047
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 0006000A
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00060FD4
.text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00060FAF
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00D60000
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00D6002C
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00D60011
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00D100C4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00D10F7E
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 00D10F5C
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00D100F3
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00D1007D
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00D1002F
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00D1006C
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00D10051
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00D10098
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00D10FAF
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00D10040
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00D100B3
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 00D10F4B
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00D1000A
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00D10FEF
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00D10FD4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00D10F6D
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00D70FAF
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!system 75E38B63 5 Bytes JMP 00D70FC0
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00D70029
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00D70000
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00D7003A
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00D70FEF
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 00DC0F94
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 00DC0FB9
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00DC0FEF
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00DC0040
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 00DC0F83
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00DC0025
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00DC0000
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00DC0FD4
.text C:\Windows\System32\svchost.exe[1056] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00DD0FEF
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 01310FEF
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 01310014
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 01310FDE
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 011400B3
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 01140F6D
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 01140F37
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 01140F52
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 01140F99
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 0114003D
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 01140FB4
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 01140FDB
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 01140F88
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 0114007D
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 01140058
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 01140098
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 01140F1C
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 0114001B
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 0114000A
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 0114002C
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!WinExec 773B580B 5 Bytes JMP 011400CE
.text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 01350FAD
.text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!system 75E38B63 5 Bytes JMP 01350038
.text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 01350FD9
.text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 01350000
.text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 01350FC8
.text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 0135001D
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 01370F9B
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 01370FC0
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 01370000
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 0137003D
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 01370F80
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 01370FDB
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 01370011
.text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 0137002C
.text C:\Windows\system32\svchost.exe[1068] WS2_32.dll!socket 76C136D1 5 Bytes JMP 013C0FEF
.text C:\Windows\system32\svchost.exe[1068] WININET.dll!InternetOpenA 75EF0A4D 5 Bytes JMP 024B0000
.text C:\Windows\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlA 75EF2713 5 Bytes JMP 024B0FC0
.text C:\Windows\system32\svchost.exe[1068] WININET.dll!InternetOpenW 75EF30C8 5 Bytes JMP 024B0FDB
.text C:\Windows\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlW 75F48515 5 Bytes JMP 024B001B
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00A30FEF
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00A30FD4
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00A3000A
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 77321929 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 009E0F2D
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 009E0F3E
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 009E0EF7
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 009E0F12
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 009E0F7E
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 009E002C
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 009E0058
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 009E0FB6
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 009E0F59
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 009E0FA5
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 009E003D
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 009E0069
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 009E0EE6
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 009E0FE5
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 009E0000
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 009E001B
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!WinExec 773B580B 5 Bytes JMP 009E0084
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00A4004A
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!system 75E38B63 5 Bytes JMP 00A40FB5
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00A40FC6
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00A40FE3
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00A40025
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00A40000
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 009D0F8D
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 009D0FAF
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 009D0F9E
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 009D004A
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 009D001B
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 009D0000
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 009D0FCA
.text C:\Windows\system32\svchost.exe[1216] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00A60000
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenA 75EF0A4D 5 Bytes JMP 00A50FE5
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenUrlA 75EF2713 5 Bytes JMP 00A50011
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenW 75EF30C8 5 Bytes JMP 00A50000
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenUrlW 75F48515 5 Bytes JMP 00A50022
.text C:\Windows\system32\svchost.exe[1404] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00960000
.text C:\Windows\system32\svchost.exe[1404] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00960FD4
.text C:\Windows\system32\svchost.exe[1404] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00960FE5
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00950F51
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00950F62
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 00950F1B
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 009500B2
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 0095007C
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00950FD1
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 0095005F
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 0095003D
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00950F87
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 0095004E
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00950FB6
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 0095008D
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 009500D7
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 0095001B
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 0095000A
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 0095002C
.text C:\Windows\system32\svchost.exe[1404] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00950F36
.text C:\Windows\system32\svchost.exe[1404] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00970F92
.text C:\Windows\system32\svchost.exe[1404] msvcrt.dll!system 75E38B63 5 Bytes JMP 00970FA3
.text C:\Windows\system32\svchost.exe[1404] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 00970FD2
.text C:\Windows\system32\svchost.exe[1404] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00970000
.text C:\Windows\system32\svchost.exe[1404] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 0097001D
.text C:\Windows\system32\svchost.exe[1404] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00970FE3
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 008F0F7C
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 008F0F9E
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 008F0FEF
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 008F0F8D
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 008F0F57
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 008F0FC3
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 008F0FD4
.text C:\Windows\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 008F0014
.text C:\Windows\system32\svchost.exe[1404] WS2_32.dll!socket 76C136D1 5 Bytes JMP 009C0FE5
.text C:\Windows\system32\svchost.exe[1636] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00350000
.text C:\Windows\system32\svchost.exe[1636] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00350FDB
.text C:\Windows\system32\svchost.exe[1636] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00350011
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00340F0B
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00340F30
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 00340ECE
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00340EDF
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00340040
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 0034002F
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00340F8D
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00340051
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00340F7C
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00340F9E
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00340F41
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 0034008A
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00340FDE
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00340FB9
.text C:\Windows\system32\svchost.exe[1636] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00340EF0
.text C:\Windows\system32\svchost.exe[1636] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00130038
.text C:\Windows\system32\svchost.exe[1636] msvcrt.dll!system 75E38B63 5 Bytes JMP 00130027
.text C:\Windows\system32\svchost.exe[1636] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 0013000C
.text C:\Windows\system32\svchost.exe[1636] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00130FEF
.text C:\Windows\system32\svchost.exe[1636] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 00130FB7
.text C:\Windows\system32\svchost.exe[1636] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 00130FD2
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 002F007D
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 002F0FDB
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 002F0062
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 002F008E
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 002F002C
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 002F0011
.text C:\Windows\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 002F0047
.text C:\Windows\system32\svchost.exe[1636] WS2_32.dll!socket 76C136D1 5 Bytes JMP 00250FEF
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1920] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 71159A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1920] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 711599A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[3116] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00080000
.text C:\Windows\Explorer.EXE[3116] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00080025
.text C:\Windows\Explorer.EXE[3116] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00080FEF
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00010F48
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00010098
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 000100CE
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00010F37
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00010F92
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00010047
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00010FA3
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00010062
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00010F77
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 00010FC0
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00010FDB
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 0001007D
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 00010F1C
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 0001001B
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00010000
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 00010036
.text C:\Windows\Explorer.EXE[3116] kernel32.dll!WinExec 773B580B 5 Bytes JMP 000100A9
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 000A0F83
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 000A0FAF
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 000A0FEF
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 000A0F94
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 000A004A
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 000A001B
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 000A0000
.text C:\Windows\Explorer.EXE[3116] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 000A0FCA
.text C:\Windows\Explorer.EXE[3116] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 000B0053
.text C:\Windows\Explorer.EXE[3116] msvcrt.dll!system 75E38B63 5 Bytes JMP 000B0038
.text C:\Windows\Explorer.EXE[3116] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 000B001D
.text C:\Windows\Explorer.EXE[3116] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 000B0000
.text C:\Windows\Explorer.EXE[3116] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 000B0FC8
.text C:\Windows\Explorer.EXE[3116] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 000B0FE3
.text C:\Windows\Explorer.EXE[3116] WS2_32.dll!socket 76C136D1 5 Bytes JMP 016E0000
.text C:\Windows\Explorer.EXE[3116] WININET.dll!InternetOpenA 75EF0A4D 5 Bytes JMP 06450FEF
.text C:\Windows\Explorer.EXE[3116] WININET.dll!InternetOpenUrlA 75EF2713 5 Bytes JMP 06450000
.text C:\Windows\Explorer.EXE[3116] WININET.dll!InternetOpenW 75EF30C8 5 Bytes JMP 06450FD4
.text C:\Windows\Explorer.EXE[3116] WININET.dll!InternetOpenUrlW 75F48515 5 Bytes JMP 06450011
.text C:\Windows\system32\wuauclt.exe[5412] ntdll.dll!NtCreateFile 77457C78 5 Bytes JMP 00040FEF
.text C:\Windows\system32\wuauclt.exe[5412] ntdll.dll!NtCreateProcess 77457D38 5 Bytes JMP 00040FC3
.text C:\Windows\system32\wuauclt.exe[5412] ntdll.dll!NtProtectVirtualMemory 774585D8 5 Bytes JMP 00040FDE
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!GetStartupInfoW 77321929 5 Bytes JMP 00010F3A
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!GetStartupInfoA 773219C9 5 Bytes JMP 00010080
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!CreateProcessW 77321C01 5 Bytes JMP 00010EFA
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!CreateProcessA 77321C36 5 Bytes JMP 00010091
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!VirtualProtect 77321DD1 5 Bytes JMP 00010040
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!CreateNamedPipeW 77325C44 5 Bytes JMP 00010FC3
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!LoadLibraryExW 7734374A 5 Bytes JMP 00010F66
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!LoadLibraryW 7734382D 5 Bytes JMP 00010F8D
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!VirtualProtectEx 77348F5E 5 Bytes JMP 00010F55
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!LoadLibraryExA 77349649 5 Bytes JMP 0001002F
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!LoadLibraryA 77349671 5 Bytes JMP 00010FA8
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!CreatePipe 77350474 5 Bytes JMP 00010065
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!GetProcAddress 7736BAC6 5 Bytes JMP 00010EE9
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!CreateFileW 7736CE4E 5 Bytes JMP 00010FDE
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!CreateFileA 7736D171 5 Bytes JMP 00010FEF
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!CreateNamedPipeA 773B462E 5 Bytes JMP 0001001E
.text C:\Windows\system32\wuauclt.exe[5412] kernel32.dll!WinExec 773B580B 5 Bytes JMP 00010F1F
.text C:\Windows\system32\wuauclt.exe[5412] msvcrt.dll!_wsystem 75E38A47 5 Bytes JMP 00070049
.text C:\Windows\system32\wuauclt.exe[5412] msvcrt.dll!system 75E38B63 5 Bytes JMP 00070FBE
.text C:\Windows\system32\wuauclt.exe[5412] msvcrt.dll!_creat 75E3C6F1 5 Bytes JMP 0007001D
.text C:\Windows\system32\wuauclt.exe[5412] msvcrt.dll!_open 75E3DA7E 5 Bytes JMP 00070FEF
.text C:\Windows\system32\wuauclt.exe[5412] msvcrt.dll!_wcreat 75E3DC9E 5 Bytes JMP 0007002E
.text C:\Windows\system32\wuauclt.exe[5412] msvcrt.dll!_wopen 75E3DE79 5 Bytes JMP 0007000C
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegCreateKeyExA 75FFB5E7 5 Bytes JMP 0008005B
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegCreateKeyA 75FFB8AE 5 Bytes JMP 0008002F
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegOpenKeyA 76000BF5 5 Bytes JMP 00080000
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegCreateKeyW 7600B83D 5 Bytes JMP 00080040
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegCreateKeyExW 7600BCE1 5 Bytes JMP 0008006C
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegOpenKeyExA 7600D4E8 5 Bytes JMP 00080FD4
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegOpenKeyW 76013CB0 5 Bytes JMP 00080FEF
.text C:\Windows\system32\wuauclt.exe[5412] ADVAPI32.dll!RegOpenKeyExW 7601F09D 5 Bytes JMP 00080FC3

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:56 AM

Posted 24 April 2012 - 06:52 PM

Please run aswMBR and OTL

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

And OTL


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Posted Image
m0le is a proud member of UNITE

#3 dyjodapa

dyjodapa
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 24 April 2012 - 07:14 PM

Here are the logs m0le:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-24 18:55:36
-----------------------------
18:55:36.817 OS Version: Windows 6.0.6001 Service Pack 1
18:55:36.817 Number of processors: 2 586 0xF0D
18:55:36.817 ComputerName: DYLAN-PC UserName: Dylan
18:55:50.389 Initialize success
18:59:48.014 AVAST engine defs: 12042401
19:00:24.970 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:00:24.970 Disk 0 Vendor: ST3250310AS 3.ADA Size: 238418MB BusType: 3
19:00:24.986 Disk 0 MBR read successfully
19:00:24.986 Disk 0 MBR scan
19:00:25.001 Disk 0 Windows VISTA default MBR code
19:00:25.001 Disk 0 Partition 1 00 DE Dell Utility 47 MB offset 63
19:00:25.017 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
19:00:25.033 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228129 MB offset 21069824
19:00:25.048 Disk 0 scanning sectors +488278016
19:00:25.157 Disk 0 scanning C:\Windows\system32\drivers
19:00:35.625 Service scanning
19:00:58.089 Modules scanning
19:01:03.065 Disk 0 trace - called modules:
19:01:03.081 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
19:01:03.097 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x859c43f0]
19:01:03.097 3 CLASSPNP.SYS[8839c745] -> nt!IofCallDriver -> [0x851ee860]
19:01:03.097 5 acpi.sys[8069b6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x851e48a8]
19:01:03.112 Scan finished successfully
19:01:22.981 Disk 0 MBR has been saved successfully to "C:\Users\Dylan\Documents\logs 4-23-12\MBR.dat"
19:01:22.997 The log file has been saved successfully to "C:\Users\Dylan\Documents\logs 4-23-12\aswMBR.txt"


OTL logfile created on: 4/24/2012 7:02:55 PM - Run 1
OTL by OldTimer - Version 3.2.41.0 Folder = C:\Users\Dylan\Desktop
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 62.79% Memory free
4.21 Gb Paging File | 3.07 Gb Available in Paging File | 72.92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.78 Gb Total Space | 110.59 Gb Free Space | 49.64% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.20 Gb Free Space | 61.97% Space Free | Partition Type: NTFS

Computer Name: DYLAN-PC | User Name: Dylan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/24 19:01:48 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Users\Dylan\Desktop\OTL.exe
PRC - [2012/01/03 17:31:34 | 001,391,272 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
PRC - [2011/09/23 11:11:36 | 000,216,208 | ---- | M] (Avanquest Software) -- C:\Program Files\PC Speed Maximizer\SPMReminder.exe
PRC - [2011/07/13 09:58:32 | 001,195,488 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2011/07/13 09:58:00 | 001,312,384 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/05/20 12:03:34 | 000,210,144 | ---- | M] () -- C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/03/01 18:00:26 | 001,813,808 | ---- | M] (ParetoLogic) -- C:\Program Files\ParetoLogic\FileCure\FileCure.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2010/02/10 06:19:29 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/01/24 18:10:40 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/01/15 07:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2010/01/11 16:21:52 | 000,490,216 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/01/17 07:22:20 | 004,907,008 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe


========== Modules (No Company Name) ==========

MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/11/03 16:51:26 | 000,039,712 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/20 12:03:34 | 000,210,144 | ---- | M] () [Auto | Running] -- C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe -- (Updater Service for StartNow Toolbar)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/10/12 12:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2010/01/24 18:10:40 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Dylan\AppData\Local\Temp\aswMBR.sys -- (aswMBR)
DRV - [2011/07/27 13:48:16 | 000,006,656 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\iPodDrv.sys -- (iPodDrv)
DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,163,400 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,089,368 | ---- | M] (McAfee, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,064,648 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/01/24 18:09:48 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2006/11/02 02:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20111251,16897,0,5,0
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=FTB&o=41648106&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=9C&apn_dtid=YYYYYYYYUS&apn_uid=34187F8A-ABF7-4907-A1A0-0F0325E1AFC5&apn_sauid=861DC056-9656-4580-A552-565566C9368D
IE - HKCU\..\SearchScopes\{4260182C-53DC-5177-430F-D0D732B41839}: "URL" = http://ib.startnow.com/s/?q={searchTerms}&src=defsearch&provider=bing&provider_name=bing&provider_code=Z057&partner_id=333&product_id=706&affiliate_id=&channel=DPGL16&toolbar_id=200&toolbar_version=2.1.0&install_country=US&install_date=20110720&user_guid=F44462621C49457F9B434451FC02D592&machine_id=b7fe3eda4a4fef760194e81e016270f8&browser=IE&os=win&os_version=6.0-x86-SP0&iesrc={referrer:source}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\..\SearchScopes\{D9256BA8-DFCE-4F69-A438-61C0C29B807B}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,105,0_0,Search,20111251,6900,0,5,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MI1933~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\1.bin\NPMyWebS.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll ()
FF - HKLM\Software\MozillaPlugins\npDisplayEngine: C:\Program Files\LivingPlay Games\nplplaypop.dll ( )
FF - HKCU\Software\MozillaPlugins\@doubletwist.com/NPPodcast: C:\Program Files\Common Files\doubleTwist\NPPodcast.dll (doubleTwist Corporation)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Dylan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/02/07 21:47:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}: C:\Program Files\PriceGong\2.5.3\FF [2011/12/13 20:40:16 | 000,000,000 | ---D | M]

[2010/11/03 18:27:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dylan\AppData\Roaming\Mozilla\Extensions
[2010/06/13 16:05:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dylan\AppData\Roaming\Mozilla\Extensions\IMVUClientXUL@imvu.com

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.162\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.180.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java™ Platform SE 6 U18 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\Dylan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: PriceGong = C:\Users\Dylan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkomkajifikmkfnjgphkjcfeepbnojok\5.5.3_0\
CHR - Extension: SiteAdvisor = C:\Users\Dylan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.122.1_0\
CHR - Extension: We-Care Reminder Lite = C:\Users\Dylan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkpmjnommfoljgjbckjmjhkmnhfmcmon\1.2.0.2_0\
CHR - Extension: We-Care Reminder Lite = C:\Users\Dylan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkpmjnommfoljgjbckjmjhkmnhfmcmon\1.2.0.2_0\.bak
CHR - Extension: LivingPlay = C:\Users\Dylan\AppData\Local\Google\Chrome\User Data\Default\Extensions\maopdgeieiiiifooolcjjfmjdlkmhfdh\

O1 HOSTS File: ([2010/10/30 17:06:29 | 000,000,734 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Shopping Assistant Plugin) - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.5.3\PriceGongIE.dll (PriceGong)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (Fast Search) - {5AB7104A-B71F-49AD-9154-F7F8806AE848} - C:\Program Files\Surf Canyon\surfcanyon.dll (Surf Canyon Incorporated)
O2 - BHO: (PodcastBHO Class) - {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files\Common Files\doubleTwist\IEPodcastPlugin.dll (doubleTwist Corporation)
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll (StartNow.com)
O2 - BHO: (Special Savings) - {74F475FA-6C75-43BD-AAB9-ECDA6184F600} - C:\Program Files\Superfish\Special Savings\SpecialSavings.dll (Superfish)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110801113639.dll (McAfee, Inc.)
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll (Yontoo LLC)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll (StartNow.com)
O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [TaskTray] File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [PC Speed Maximizer] C:\Program Files\PC Speed Maximizer\SPMLauncher.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Special Savings - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - C:\Program Files\Superfish\Special Savings\SpecialSavings.dll (Superfish)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support.microsoft.com/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0870FCDC-3EA9-42E0-8DFB-7213CC61B1C6}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/24 19:01:45 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Users\Dylan\Desktop\OTL.exe
[2012/04/24 18:55:14 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Dylan\Desktop\aswMBR.exe
[2012/04/24 17:36:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012/04/23 19:15:30 | 000,000,000 | ---D | C] -- C:\Users\Dylan\Documents\logs 4-23-12
[2012/04/23 19:13:26 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Dylan\Desktop\dds.scr

========== Files - Modified Within 30 Days ==========

[2012/04/24 19:01:48 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Users\Dylan\Desktop\OTL.exe
[2012/04/24 18:55:15 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Dylan\Desktop\aswMBR.exe
[2012/04/24 18:54:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/24 18:54:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/24 18:51:35 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{372F8A37-FF6D-4AC8-A1AC-63D7BC93AAE8}.job
[2012/04/24 18:00:00 | 000,000,444 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2012/04/24 17:41:37 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/24 17:41:37 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/24 17:36:49 | 000,001,737 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2012/04/24 17:36:48 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\FileCure Startup.job
[2012/04/24 17:36:44 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/24 17:36:44 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/24 17:36:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/24 17:36:30 | 2136,133,632 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/23 19:18:06 | 000,302,592 | ---- | M] () -- C:\Users\Dylan\Desktop\4v9n7v84.exe
[2012/04/23 19:13:28 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Dylan\Desktop\dds.scr
[2012/04/14 04:21:00 | 000,000,418 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Update Version3.job
[2012/04/13 03:07:00 | 000,000,364 | ---- | M] () -- C:\Windows\tasks\FileCure Default.job
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2012/04/23 19:18:04 | 000,302,592 | ---- | C] () -- C:\Users\Dylan\Desktop\4v9n7v84.exe
[2012/03/03 18:25:40 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2011/08/03 03:11:38 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/08/03 03:11:38 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/07/06 19:36:41 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/07/05 11:12:36 | 000,012,850 | -HS- | C] () -- C:\Users\Dylan\AppData\Local\5wv4o76r1v7dw5ii66obfb30q3582e1qk78vhjp48c
[2011/07/05 11:12:36 | 000,012,850 | -HS- | C] () -- C:\ProgramData\5wv4o76r1v7dw5ii66obfb30q3582e1qk78vhjp48c
[2011/05/01 19:33:44 | 000,003,584 | ---- | C] () -- C:\Users\Dylan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/20 14:29:18 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat

< End of report >


OTL Extras logfile created on: 4/24/2012 7:02:55 PM - Run 1
OTL by OldTimer - Version 3.2.41.0 Folder = C:\Users\Dylan\Desktop
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 62.79% Memory free
4.21 Gb Paging File | 3.07 Gb Available in Paging File | 72.92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.78 Gb Total Space | 110.59 Gb Free Space | 49.64% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.20 Gb Free Space | 61.97% Space Free | Partition Type: NTFS

Computer Name: DYLAN-PC | User Name: Dylan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- C:\Program Files\ParetoLogic\FileCure\FileCure_noapp.exe %1 (ParetoLogic)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{AB53BB10-C22B-4932-8A76-ABA73858F2BC}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{AD321939-DB7F-45E0-97E0-D1B3A76BE9B8}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01B0E52F-9072-4272-9EAE-E2F14A8125B2}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{05A277B6-37E4-4622-8322-E3F47CA18F36}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{0B108A0F-CF9A-4BC0-BD1B-F8159C903FCE}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{1357AE72-89EB-4E72-8C2E-2F35176C39FF}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{19BF517B-3FA1-4D02-B358-A9E77F64AAC8}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{1D8CC3C1-C841-49DC-9BB6-3544939B36E1}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{217F4B0B-998D-4BF0-B235-0761670CD6EE}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{3FA8B981-2399-4BA8-8686-727173519F92}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{63448AF0-F9B3-42EA-B33E-1699AE02CA2F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{8760968C-6C19-4596-A26A-F34470642EEC}" = dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{AB552A69-994B-447A-932C-C09B8774598C}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B1587ABC-99DF-4424-B19B-3D5881442C5C}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{CD2A3C55-C945-4724-A6C2-50F146FB2724}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{E57C6B26-234A-4B30-8700-7299A89C66EA}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F19FC46C-E41D-4B8D-8FF2-2CFC2E21EF58}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"TCP Query User{0E14EEB7-8769-4517-AC21-45271A5A8697}C:\users\dylan\appdata\roaming\imvuclient\1vivoxvoice.exe" = protocol=6 | dir=in | app=c:\users\dylan\appdata\roaming\imvuclient\1vivoxvoice.exe |
"UDP Query User{D4EF6811-15A3-437A-A6A7-D6AFFB9FE9F2}C:\users\dylan\appdata\roaming\imvuclient\1vivoxvoice.exe" = protocol=17 | dir=in | app=c:\users\dylan\appdata\roaming\imvuclient\1vivoxvoice.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{205140F6-F3AC-45CE-9627-9CF35C6E1C2E}" = Mall Tycoon 3
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{2E295B5B-1AD4-4d36-97C2-A316084722CF}" = Python 2.7.2
"{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App" = Update Installer for WildTangent Games App
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2
"{377C9E1B-28E9-40C3-836C-85F8E839D4E6}" = John Deere Drive Green
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{582876EC-A178-44D4-9823-C10D6C62EAFF}" = AGEIA PhysX v2.6.0
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-wildgames" = WildTangent Games App
"{7C105657-8AB6-4B3A-94C5-449F5EA13344}" = UCreate Games and Artimation
"{7E482AF6-AA1F-4CC5-BA13-0536675F5744}" = ASPCA TriMini Reminder by We-Care.com v5.0.2.1
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo Layers Runtime 1.10.01
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CC4840D-EF1C-406F-AF08-3C19EB1335B9}" = Zoo Tycoon 2 - Ultimate Collection
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A922D91B-9F22-4FAD-9F59-84B72C133C53}" = Special Savings
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C1C441C4-57FA-4950-BDBA-BABFBAA2AA39}" = ParetoLogic FileCure
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"doubleTwist" = doubleTwist
"Driver Performer_is1" = Driver Performer
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"Google Chrome" = Google Chrome
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{9CC4840D-EF1C-406F-AF08-3C19EB1335B9}" = Zoo Tycoon 2 - Ultimate Collection
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mini Ninjas" = Mini Ninjas 1.0
"MQOnline" = MagiQuest Online (remove only)
"MSC" = McAfee Total Protection
"NetDevil_LEGO_Universe_is1" = LEGO Universe
"Office14.SingleImage" = Microsoft Office Home and Student 2010
"OggDS" = Direct Show Ogg Vorbis Filter (remove only)
"OpenAL" = OpenAL
"PC Speed Maximizer_is1" = PC Speed Maximizer v3.0
"Plants vs. Zombies" = Plants vs. Zombies
"PriceGong" = PriceGong 2.5.3
"Sonic 3D Blast_is1" = Sonic 3D Blast
"StartNow Toolbar" = StartNow Toolbar
"Surf Canyon" = Fast Search
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"UK Truck Simulator" = UK Truck Simulator 1.06
"WildTangent wildgames Master Uninstall" = WildTangent Games
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinLiveSuite_Wave3" = Windows Live Essentials
"WT088986" = Real Detectives - Murder in Miami
"WT089137" = World Cup Cricket 20-20
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Ask Toolbar Updater
"FoxTab Media Player" = FoxTab Media Player
"IMVU Avatar chat client software BETA" = IMVU Avatar Chat Software
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/14/2011 7:19:45 PM | Computer Name = Dylan-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18639, time stamp
0x4db02c95, faulting module bho_project.dll, version 1.0.0.1, time stamp 0x4e1cb3a7,
exception code 0xc0000005, fault offset 0x0000763c, process id 0xe2c, application
start time 0x01ccbab699ce0df0.

Error - 12/14/2011 7:19:49 PM | Computer Name = Dylan-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18639, time stamp
0x4db02c95, faulting module msxml6.dll, version 6.20.4001.0, time stamp 0x4a7ffde1,
exception code 0xc0000005, fault offset 0x000029cb, process id 0xe2c, application
start time 0x01ccbab699ce0df0.

Error - 12/14/2011 8:05:54 PM | Computer Name = Dylan-PC | Source = Application Error | ID = 1000
Description = Faulting application VisualBoyAdvance.exe, version 1.8.0.603, time
stamp 0x433ed0ae, faulting module VisualBoyAdvance.exe, version 1.8.0.603, time
stamp 0x433ed0ae, exception code 0xc0000005, fault offset 0x000235f5, process id
0x13b0, application start time 0x01ccbabd376818c0.

Error - 12/14/2011 8:06:59 PM | Computer Name = Dylan-PC | Source = Application Error | ID = 1000
Description = Faulting application VisualBoyAdvance.exe, version 1.8.0.603, time
stamp 0x433ed0ae, faulting module VisualBoyAdvance.exe, version 1.8.0.603, time
stamp 0x433ed0ae, exception code 0xc0000005, fault offset 0x000235f5, process id
0x10d4, application start time 0x01ccbabd5f751660.

Error - 12/15/2011 2:00:08 AM | Computer Name = Dylan-PC | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 12/15/2011 2:00:09 AM | Computer Name = Dylan-PC | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 12/16/2011 2:00:05 AM | Computer Name = Dylan-PC | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 12/16/2011 2:00:05 AM | Computer Name = Dylan-PC | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 12/16/2011 5:00:16 AM | Computer Name = Dylan-PC | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 12/16/2011 5:00:17 AM | Computer Name = Dylan-PC | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

[ System Events ]
Error - 4/13/2012 1:06:07 AM | Computer Name = Dylan-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 4/13/2012 1:06:11 AM | Computer Name = Dylan-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 4/14/2012 1:05:58 AM | Computer Name = Dylan-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 4/14/2012 1:06:02 AM | Computer Name = Dylan-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 4/14/2012 9:01:11 PM | Computer Name = Dylan-PC | Source = DCOM | ID = 10010
Description =

Error - 4/23/2012 6:53:11 PM | Computer Name = Dylan-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:57:26 PM on 4/14/2012 was unexpected.

Error - 4/23/2012 6:53:14 PM | Computer Name = Dylan-PC | Source = HTTP | ID = 15016
Description =

Error - 4/23/2012 7:39:24 PM | Computer Name = Dylan-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 4/23/2012 7:39:28 PM | Computer Name = Dylan-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 4/24/2012 6:36:36 PM | Computer Name = Dylan-PC | Source = HTTP | ID = 15016
Description =


< End of report >

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:56 AM

Posted 24 April 2012 - 07:18 PM

Please run Combofix next, there's a number of malware files on the OTL log

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 dyjodapa

dyjodapa
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 24 April 2012 - 07:31 PM

m0le, the computer has McAfee installed on it though it says it is deactivated. So my friends subscription must have expired. The real-time scanning and firewall are still on. It as locked these options. So what do I do?

#6 dyjodapa

dyjodapa
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 24 April 2012 - 09:42 PM

ComboFix solved the problem. Ran a scan with MBAM. Computer is clean.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:56 AM

Posted 25 April 2012 - 04:42 PM

Would you like to post the Combofix log so I can see it?
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:56 AM

Posted 27 April 2012 - 07:21 PM

Is that a no? :P
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:56 AM

Posted 28 April 2012 - 06:11 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users