Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Auto Populating Trojan

Started by kamieo , May 22 2009 04:23 PM

  • Please log in to reply

#1
kamieo
Posted 22 May 2009 - 04:23 PM

kamieo

    Member

  • Member
  • PipPip
  • 41 posts
Please HELP! :)
Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:52 PM, on 5/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe
C:\WINDOWS\system32\HWKeyPlus.exe
C:\WINDOWS\system32\HWTabTray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Sync Managers\agent\syncagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Hanvon_soft\hwshell.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\JWPEN.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Hikam\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flickr.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [winlogon.exe] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Hanvon Key Pus] C:\WINDOWS\system32\HWKeyPlus.exe
O4 - HKLM\..\Run: [Hanvon Tablet Tray Service] C:\WINDOWS\system32\HWTabTray.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Synchronization Agent] "C:\Program Files\Sync Managers\agent\syncagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [WD_SRT] "C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [sysfbtray] c:\windows\freddy43.exe
O4 - HKLM\..\Run: [sysmstray] c:\windows\mstre19.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Owner\Application Data\Macromedia\Common\1e6540261.dll""
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Owner] C:\Documents and Settings\Owner\Owner.exe /i
O4 - HKCU\..\Run: [] C:\Documents and Settings\Owner\.exe /i
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\1e6540261.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\1e6540261.dll"" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Hanvon Shell.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1173127531375
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} (Photo Upload Plugin Class) - http://www.costcopho...veX_Control.cab?
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HWSuperPowerTablet - HanWang - C:\WINDOWS\system32\JWPEN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee SystemGuards McSysmonClipSrv (McSysmonClipSrv) - Unknown owner - C:\WINDOWS\system32\adsldpy.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 12809 bytes
  • 0

Advertisements

#2
kahdah
Posted 23 May 2009 - 10:57 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello kamieo

Welcome to G2Go. :)
=====================
  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#3
kamieo
Posted 02 June 2009 - 01:37 AM

kamieo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OTListIt logfile created on: 6/2/2009 12:34:58 AM - Run 5
OTListIt2 by OldTimer - Version 2.0.3.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.21 Gb Available Physical Memory | 64.45% Memory free
2.38 Gb Paging File | 1.78 Gb Available in Paging File | 74.84% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.24 Gb Total Space | 26.64 Gb Free Space | 36.88% Space Free | Partition Type: NTFS
Drive D: | 4.44 Gb Total Space | 2.59 Gb Free Space | 58.28% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 232.83 Gb Total Space | 169.76 Gb Free Space | 72.91% Space Free | Partition Type: FAT32

Computer Name: BILLBILLKAMKAM
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
PRC - C:\WINDOWS\system32\JWPEN.exe (HanWang)
PRC - C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\McShield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
PRC - C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Pure Networks, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
PRC - C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
PRC - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe (ReFog Software)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\HWKeyPlus.exe ()
PRC - C:\WINDOWS\system32\HWTabTray.exe ()
PRC - C:\WINDOWS\system32\WDBtnMgr.exe (Western Digital Technologies, Inc.)
PRC - C:\Program Files\Sync Managers\agent\syncagent.exe ()
PRC - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Pure Networks, Inc.)
PRC - C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE (Western Digital Technologies, Inc.)
PRC - C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Starfield\Desktop Notifier\wben.exe (Starfield Technologies, Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Hanvon_soft\hwshell.exe ()
PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Owner\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AdobeActiveFileMonitor5.0 [Auto | Running]) -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (CCALib8 [Auto | Running]) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (HWSuperPowerTablet [Auto | Running]) -- C:\WINDOWS\system32\JWPEN.exe (HanWang)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (MBackMonitor [Auto | Running]) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\McShield.exe (McAfee, Inc.)
SRV - (McSysmon [On_Demand | Running]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (McSysmonClipSrv [Auto | Stopped]) -- C:\WINDOWS\system32\adsldpy.exe ()
SRV - (MpfService [Auto | Running]) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (nmraapache [On_Demand | Stopped]) -- C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe (Pure Networks, Inc.)
SRV - (nmservice [Auto | Running]) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Pure Networks, Inc.)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (PrismXL [Auto | Running]) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
SRV - (Viewpoint Manager Service [Auto | Stopped]) -- File not found
SRV - (ZuneBusEnum [Auto | Running]) -- C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc [On_Demand | Stopped]) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (YahooAUService [Auto | Running]) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

========== Driver Services (SafeList) ==========

DRV - (2WIREPCP [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\2WirePCP.sys (2Wire, Inc.)
DRV - (Afc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\Afc.sys (Arcsoft, Inc.)
DRV - (AliIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amd64si [Auto | Stopped]) -- C:\WINDOWS\system32\drivers\amd64si.sys ()
DRV - (amdagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (asc [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (ASCTRM [Auto | Running]) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (CmdIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (dac2w2k [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (DCamUSBNW800 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\pcam800.sys (Divio Inc.)
DRV - (el575nd5 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\el575nd5.sys (3Com Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HPZid412 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (hypen [Boot | Running]) -- C:\WINDOWS\System32\Drivers\hypen.sys ()
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [System | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfesmfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (MPFP [System | Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.)
DRV - (mraid35x [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (pnarp [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\pnarp.sys (Pure Networks, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (purendis [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\purendis.sys (Pure Networks, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql1080 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (RTL8023xp [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (rtl8139 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sisagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (Sparrow [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (symc810 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_hi [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (ultra [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (usb_rndisx [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys (Microsoft Corporation)
DRV - (wanatw [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\wanatw4.sys (America Online, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (WinUSB [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\WinUSB.sys (Microsoft Corporation)
DRV - (WlanUIG [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\WlanUIG.sys ( )
DRV - (zumbus [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\zumbus.sys (Microsoft Corporation)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_Url = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - presf.js..browser.search.defaulturl: "http://search.yahoo....ch?fr=ffsp1&p="
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - HKLM\software\mozilla\mozilla firefox 3.0.10\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/05/15 19:06:54 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\mozilla firefox 3.0.10\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/05/15 19:06:55 00,000,000 | ---D | M]
FF - C:\Documents and Settings\Owner\Application Data\mozilla\Extensions [2009/03/02 10:57:05 00,000,000 | ---D | M]
FF - C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/03/02 10:57:05 00,000,000 | ---D | M]
FF - C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\wptn952c.default\extensions [2009/03/02 10:57:05 00,000,000 | ---D | M]
FF - C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\wptn952c.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2009/06/01 23:24:45 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions [2009/03/02 10:56:14 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/05/15 19:06:55 00,000,000 | ---D | M]

O1 HOSTS File: (727 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {D40EB577-B16F-411B-81DC-AFEDF8B60A50} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Hanvon Key Pus] C:\WINDOWS\system32\HWKeyPlus.exe ()
O4 - HKLM..\Run: [Hanvon Tablet Tray Service] C:\WINDOWS\system32\HWTabTray.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe (McAfee)
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" (Pure Networks, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Agent] "C:\Program Files\Sync Managers\agent\syncagent.exe" ()
O4 - HKLM..\Run: [sysfbtray] c:\windows\freddy43.exe File not found
O4 - HKLM..\Run: [sysmstray] c:\windows\mstre19.exe File not found
O4 - HKLM..\Run: [WD Button Manager] WDBtnMgr.exe (Western Digital Technologies, Inc.)
O4 - HKLM..\Run: [WD_SRT] "C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE" (Western Digital Technologies, Inc.)
O4 - HKLM..\Run: [winlogon.exe] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe (ReFog Software)
O4 - HKLM..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
O4 - HKLM..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [] C:\Documents and Settings\Owner\.exe /i File not found
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
O4 - HKCU..\Run: [Owner] C:\Documents and Settings\Owner\Owner.exe /i File not found
O4 - HKCU..\Run: [Power2GoExpress] NA File not found
O4 - HKCU..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe File not found
O4 - HKCU..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Owner\Application Data\Macromedia\Common\1e6540261.dll"" File not found
O4 - HKCU..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe" (Starfield Technologies, Inc.)
O4 - HKCU..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll" (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hanvon Shell.lnk = C:\Hanvon_soft\hwshell.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe (ArcSoft, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [NTDS] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [Network Location Awareness (NLA) Namespace] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0cca191d-13a6-4e29-b746-314dee697d83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {48dd0448-9209-4f81-9f6d-d83562940134} http://lads.myspace....ploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1173127531375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} http://www.costcopho...veX_Control.cab? (Photo Upload Plugin Class)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll (Pure Networks, Inc.)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/octet-stream - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\system32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\system32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\system32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\system32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\system32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\system32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\system32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\system32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\system32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( schannel.dll) - C:\WINDOWS\system32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( digest.dll) - C:\WINDOWS\system32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( msnsspc.dll) - C:\WINDOWS\system32\msnsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( digiwet.dll) - File not found
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - D:\Autorun.inf () - [ FAT32 ]
O32 - Autorun File - D:\autorun.inf () - [ FAT32 ]
O32 - Autorun File - J:\autorun [2008/07/22 14:51:26 00,000,000 | ---D | M] - [ FAT32 ]
O32 - Autorun File - J:\autorun.inf () - [ FAT32 ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\J\Shell\AutoRun\command - "" = wdsync.exe

========== Files/Folders - Created Within 30 Days ==========

[2009/06/01 23:25:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Yahoo
[2009/06/01 23:24:51 | 00,262,144 | ---- | C] () -- C:\ntuser.dat
[2009/06/01 23:23:45 | 00,000,812 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/05/24 15:20:15 | 00,095,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\37acc36.sys
[2009/05/21 22:18:29 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2739f44.dat
[2009/05/21 22:18:27 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2712f44.dat
[2009/05/21 21:22:51 | 00,001,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Lightroom.lnk
[2009/05/21 21:21:04 | 00,000,000 | ---D | C] -- C:\Lightroom
[2009/05/21 21:19:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\WinZip
[2009/05/21 21:18:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/05/21 21:18:12 | 00,000,000 | ---D | C] -- C:\Program Files\WinZip
[2009/05/21 21:13:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2009/05/21 21:12:48 | 02,897,280 | ---- | C] () -- C:\wzipse40.exe
[2009/05/21 21:05:42 | 13,718,856 | ---- | C] () -- C:\winzip121.exe
[2009/05/21 20:56:01 | 50,467,614 | ---- | C] () -- C:\[mfhs]Lightroom.zipx
[2009/05/21 09:33:01 | 00,000,001 | ---- | C] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/05/21 09:33:00 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2730f44.dat
[2009/05/20 16:31:33 | 16,859,2911 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Adobe Photoshop 7.0_for PC_with serial.zip
[2009/05/19 17:55:37 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tommys payment agreement.doc
[2009/05/17 23:05:30 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\f5087.dat
[2009/05/17 18:18:59 | 00,001,157 | -H-- | C] () -- C:\WINDOWS\ms49f4d98.dat
[2009/05/17 14:28:01 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3192f44.dat
[2009/05/17 14:28:01 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\msmark2.dat
[2009/05/17 14:27:59 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\f23567.dat
[2009/05/17 14:27:58 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3165f44.dat
[2009/05/17 12:27:56 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3189f44.dat
[2009/05/14 14:09:44 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2695f44.dat
[2009/05/14 14:09:39 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2668f44.dat
[2009/05/14 11:47:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/05/14 11:45:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242345189.exe
[2009/05/14 11:45:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242326761.exe
[2009/05/14 11:35:24 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2692f44.dat
[2009/05/14 11:34:54 | 00,000,145 | --S- | C] () -- C:\WINDOWS\System32\2149968076.dat
[2009/05/14 11:34:46 | 00,048,640 | RHS- | C] () -- C:\WINDOWS\System32\adsldpy.exe
[2009/05/11 22:27:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Canon
[2009/05/11 22:25:20 | 00,000,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Picture Style Editor.lnk
[2009/05/11 22:23:49 | 00,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Digital Photo Professional.lnk
[2009/05/11 21:55:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\CANON_INC

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/06/02 00:36:25 | 00,095,936 | ---- | M] () -- C:\WINDOWS\System32\drivers\37acc36.sys
[2009/06/01 23:24:51 | 00,262,144 | ---- | M] () -- C:\ntuser.dat
[2009/06/01 23:23:45 | 00,000,812 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/06/01 23:03:55 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/01 23:03:51 | 00,000,670 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/01 23:03:40 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\msxver64.sqr
[2009/06/01 23:03:30 | 00,020,457 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/06/01 23:02:49 | 00,000,080 | ---- | M] () -- C:\WINDOWS\System32\HWTablet.bin
[2009/06/01 23:02:39 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/01 23:02:36 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/01 23:02:33 | 20,107,87840 | -HS- | M] () -- C:\hiberfil.sys
[2009/06/01 01:00:24 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/05/31 08:50:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/05/29 01:04:16 | 00,041,984 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/26 21:01:50 | 00,000,145 | --S- | M] () -- C:\WINDOWS\System32\2149968076.dat
[2009/05/23 19:12:20 | 00,481,674 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/23 19:12:20 | 00,409,562 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/23 19:12:20 | 00,064,576 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/21 22:18:29 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft2739f44.dat
[2009/05/21 22:18:27 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft2712f44.dat
[2009/05/21 21:22:51 | 00,001,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Lightroom.lnk
[2009/05/21 21:17:31 | 13,718,856 | ---- | M] () -- C:\winzip121.exe
[2009/05/21 21:12:53 | 02,897,280 | ---- | M] () -- C:\wzipse40.exe
[2009/05/21 20:56:05 | 50,467,614 | ---- | M] () -- C:\[mfhs]Lightroom.zipx
[2009/05/21 09:33:01 | 00,000,001 | ---- | M] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/05/21 09:33:00 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft2730f44.dat
[2009/05/19 17:57:43 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tommys payment agreement.doc
[2009/05/17 23:05:30 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\f5087.dat
[2009/05/17 18:18:59 | 00,001,157 | -H-- | M] () -- C:\WINDOWS\ms49f4d98.dat
[2009/05/17 14:28:01 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft3192f44.dat
[2009/05/17 14:28:01 | 00,000,001 | -H-- | M] () -- C:\WINDOWS\msmark2.dat
[2009/05/17 14:27:59 | 00,000,001 | -H-- | M] () -- C:\WINDOWS\f23567.dat
[2009/05/17 14:27:58 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft3165f44.dat
[2009/05/17 12:27:56 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft3189f44.dat
[2009/05/15 02:12:43 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/05/14 14:09:44 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft2695f44.dat
[2009/05/14 14:09:39 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft2668f44.dat
[2009/05/14 11:45:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\st_1242345189.exe
[2009/05/14 11:45:22 | 00,000,000 | ---- | M] () -- C:\WINDOWS\st_1242326761.exe
[2009/05/14 11:35:24 | 00,000,002 | -H-- | M] () -- C:\WINDOWS\t55ft2692f44.dat
[2009/05/14 11:34:46 | 00,048,640 | RHS- | M] () -- C:\WINDOWS\System32\adsldpy.exe
[2009/05/11 22:25:20 | 00,000,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Picture Style Editor.lnk
[2009/05/11 22:23:49 | 00,000,797 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Digital Photo Professional.lnk
[2009/05/11 21:31:43 | 00,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EOS Utility.lnk
[2009/05/07 18:02:05 | 00,153,088 | -HS- | M] () -- C:\Documents and Settings\Owner\My Documents\Thumbs.db
[2009/05/07 00:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== LOP Check ==========

[2009/05/21 21:18:18 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/10/07 00:57:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/02/06 01:08:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2007/02/10 16:50:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2007/02/10 16:52:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2007/02/06 12:41:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2007/03/12 20:36:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2008/07/15 20:36:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonCP
[2007/02/07 16:14:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2007/07/19 21:44:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/05/22 15:35:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2007/02/05 17:36:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP
[2007/08/20 00:08:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2007/02/25 06:41:50 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\KSP
[2008/12/01 22:55:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macromedia
[2009/03/02 13:37:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/01 16:12:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2008/06/25 18:45:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee.com
[2007/02/25 06:50:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
[2008/11/19 14:29:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/06/25 17:02:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2006/06/30 19:56:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2008/06/10 19:35:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2006/09/04 09:23:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2007/02/05 17:35:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic
[2007/02/05 16:02:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Support.com
[2007/07/12 00:09:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/06/26 23:02:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2009/03/02 11:19:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/04/01 16:04:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2007/04/06 19:53:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/05/21 21:18:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/05/21 21:13:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2009/06/01 23:24:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\yahoo!
[2009/06/01 23:24:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/01/25 18:35:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2009/05/14 11:47:14 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data
[2008/02/06 01:09:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2008/10/07 00:57:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2007/05/09 08:07:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AdobeUM
[2008/12/23 23:05:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Amazon
[2007/04/07 14:33:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Apple Computer
[2007/10/19 22:20:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ArcSoft
[2009/05/11 22:27:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canon
[2007/08/20 00:12:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Corel Photo Album
[2007/02/07 16:15:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CyberLink
[2008/08/09 17:15:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ExpressDigital
[2008/07/14 19:24:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FlashPaletteMini01LacyEditor.0136E7245F74AA29461E58116BEEEA51A91869C7.1
[2007/03/11 19:02:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\funkitron
[2007/02/05 20:18:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Google
[2007/07/18 20:56:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Help
[2007/02/28 20:38:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HP
[2006/05/06 17:42:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Identities
[2008/12/01 23:08:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Macromedia
[2009/05/14 11:47:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/03/01 16:13:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\McAfee
[2007/02/25 06:50:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall
[2008/12/20 19:04:00 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2009/03/02 10:57:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2007/03/11 18:18:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSNInstaller
[2007/07/27 21:20:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MySpace
[2007/06/26 21:06:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Opera
[2008/02/26 22:31:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Roxio
[2006/09/04 09:31:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2007/02/11 00:34:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sun
[2007/02/05 16:51:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WildTangent
[2008/06/27 15:40:22 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data\yahoo!
[2006/09/04 09:23:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
[2009/01/25 18:36:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ZoomBrowser EX
[2009/05/31 08:50:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/04 12:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/15 02:12:43 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/06/01 01:00:24 | 00,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/06/01 23:02:39 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe:SummaryInformation
@Alternate Data Stream - 304 bytes -> C:\Documents and Settings\Owner\My Documents\1.jpg:SummaryInformation
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A8E2C33
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Owner\My Documents\Thumbs.db:encryptable
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Owner\My Documents\1.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
< End of report >
  • 0

#4
kahdah
Posted 02 June 2009 - 06:00 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I see evidence of using Cracked or patched software this means keygens,cracks etc.. this is usually geared toward getting expensive software for free.
This will 9 times out of 10 infect your system as it has in this case.
Please discontinue the use of these types of programs or we will discontinue helping you if you keep coming back here with evidence of these types of software.
===============================
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
O4 - HKLM..\Run: [sysfbtray] c:\windows\freddy43.exe File not found
O4 - HKLM..\Run: [sysmstray] c:\windows\mstre19.exe File not found
O4 - HKLM..\Run: [winlogon.exe] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe (ReFog Software)
O4 - HKCU..\Run: [] C:\Documents and Settings\Owner\.exe /i File not found
O4 - HKCU..\Run: [rundll32.exe] "C:\Documents and Settings\Owner\Application Data\Macromedia\Common\1e6540261.dll"" File not found
O32 - Autorun File - D:\Autorun.inf () - [ FAT32 ]
O32 - Autorun File - D:\autorun.inf () - [ FAT32 ]
O32 - Autorun File - J:\autorun [2008/07/22 14:51:26 00,000,000 | ---D | M] - [ FAT32 ]
O32 - Autorun File - J:\autorun.inf () - [ FAT32 ]
[2009/05/21 22:18:29 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2739f44.dat
[2009/05/21 22:18:27 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2712f44.dat
[2009/05/21 09:33:01 | 00,000,001 | ---- | C] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/05/21 09:33:00 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2730f44.dat
[2009/05/20 16:31:33 | 16,859,2911 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Adobe Photoshop 7.0_for PC_with serial.zip
[2009/05/17 23:05:30 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\f5087.dat
[2009/05/17 18:18:59 | 00,001,157 | -H-- | C] () -- C:\WINDOWS\ms49f4d98.dat
[2009/05/17 14:28:01 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3192f44.dat
[2009/05/17 14:28:01 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\msmark2.dat
[2009/05/17 14:27:59 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\f23567.dat
[2009/05/17 14:27:58 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3165f44.dat
[2009/05/17 12:27:56 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3189f44.dat
[2009/05/14 14:09:44 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2695f44.dat
[2009/05/14 14:09:39 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2668f44.dat
[2009/05/14 11:45:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242345189.exe
[2009/05/14 11:45:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242326761.exe
[2009/05/14 11:35:24 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2692f44.dat
[2009/05/14 11:34:54 | 00,000,145 | --S- | C] () -- C:\WINDOWS\System32\2149968076.dat
[2009/05/14 11:34:46 | 00,048,640 | RHS- | C] () -- C:\WINDOWS\System32\adsldpy.exe
[2009/06/02 00:36:25 | 00,095,936 | ---- | M] () -- C:\WINDOWS\System32\drivers\37acc36.sys

:Commands
[emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
===============
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
kamieo
Posted 02 June 2009 - 09:45 AM

kamieo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-02 08:45:04
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\37acc36.sys ZwCreateEvent [0xB9C6432D]
SSDT \SystemRoot\System32\drivers\37acc36.sys ZwCreateKey [0xB9C62405]
SSDT \SystemRoot\System32\drivers\37acc36.sys ZwOpenKey [0xB9C624C5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB04CA9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB04CA958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB04CA96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB04CAA5D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB04CAA89]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB04CAAF7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB04CAAE1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB04CA9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB04CAB23]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB04CA930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB04CA944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB04CA9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB04CAB5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB04CAACB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB04CAAB5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB04CAA73]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB04CAB4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB04CAB37]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB04CA996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB04CA982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB04CAA9F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB04CAA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB04CAB0D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB04CAA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB04CA9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 805021FC 7 Bytes JMP B04CA9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056DF7C 5 Bytes JMP B04CA9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A70D8 7 Bytes JMP B04CA9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A7EEE 5 Bytes JMP B04CAA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805AD66C 7 Bytes JMP B04CA9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C0DD4 5 Bytes JMP B04CA934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C1060 5 Bytes JMP B04CA948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3892 5 Bytes JMP B04CA986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C6E8E 7 Bytes JMP B04CA970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C6F44 5 Bytes JMP B04CA95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C744E 5 Bytes JMP B04CA99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8724 5 Bytes JMP B04CAA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80617F30 7 Bytes JMP B04CAAB9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061827E 5 Bytes JMP B04CAB3B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80618536 7 Bytes JMP B04CAAA3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 806187FE 7 Bytes JMP B04CAB11 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619044 7 Bytes JMP B04CAACF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8061989C 7 Bytes JMP B04CAA77 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A306 7 Bytes JMP B04CAA61 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A4D6 7 Bytes JMP B04CAA8D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061A6B6 7 Bytes JMP B04CAAFB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061A920 7 Bytes JMP B04CAAE5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061B530 7 Bytes JMP B04CAB63 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061BA56 5 Bytes JMP B04CAB4F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061BB70 5 Bytes JMP B04CAB27 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\System32\drivers\37acc36.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.15 ----

C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe[148] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe entry point in "" section [0x00525D48]
.rsrc C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe[148] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe section is executable [0x00551000, 0x53B00, 0xE0000040]
.mackt C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe[148] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe unknown last code section [0x005D4000, 0x3000, 0xE0000060]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[192] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[192] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01110F85
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01110FA0
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0111007A
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01110069
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01110047
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01110F4F
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01110095
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01110F12
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01110F23
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 011100D0
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01110058
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0111000A
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01110F6A
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01110036
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateNamedPipeA 7C85FE94 3 Bytes JMP 01110025
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateNamedPipeA + 4 7C85FE98 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01110F3E
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010F0FAF
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010F0062
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010F0FCA
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010F0FE5
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 010F0051
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 010F000A
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 010F0040
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 010F0025
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010E006E
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!system 77C293C7 5 Bytes JMP 010E0FE3
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010E0038
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010E0053
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010E0011
.text C:\WINDOWS\system32\svchost.exe[372] Ws2_32.dll!socket 71AB3B91 5 Bytes JMP 010D0000
.text C:\WINDOWS\system32\svchost.exe[372] Wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 0110000A
.text C:\WINDOWS\system32\svchost.exe[372] Wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 01100025
.text C:\WINDOWS\system32\svchost.exe[372] Wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01100036
.text C:\WINDOWS\system32\svchost.exe[372] Wininet.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01100FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00250000
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00250F57
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00250F68
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250F83
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00250F94
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250036
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00250F15
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0025005D
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00250ECE
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00250EE9
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00250EBD
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00250FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00250FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00250F3C
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0025001B
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00250FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[568] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00250EFA
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00330F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00330F61
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00330FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00330FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00330F72
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00330FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00330F83
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [53, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0033000A
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00340F64
.text C:\Program Files\Internet Explorer\iexplore.exe[568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00340F7F
.text C:\Program Files\Internet Explorer\iexplore.exe[568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00340FB5
.text C:\Program Files\Internet Explorer\iexplore.exe[568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00340FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00340F9A
.text C:\Program Files\Internet Explorer\iexplore.exe[568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00340FC6
.text C:\Program Files\Internet Explorer\iexplore.exe[568] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 019C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[568] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 019C001B
.text C:\Program Files\Internet Explorer\iexplore.exe[568] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 019C002C
.text C:\Program Files\Internet Explorer\iexplore.exe[568] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 019C0FD1
.text C:\Program Files\Internet Explorer\iexplore.exe[568] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 02920FEF
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070FA6
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070FB7
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000700E4
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 000700D3
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00070110
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000700F5
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 000700B6
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070F81
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F54
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00060F6F
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FAF
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050044
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050029
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[576] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EA0065
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EA0054
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EA0F70
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EA0039
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EA0FB2
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EA00A4
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EA0087
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EA0F30
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EA0F41
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00EA00E4
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00EA0F8D
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00EA0076
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00EA001E
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00EA0FCD
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00EA00BF
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9002F
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90F8D
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90FDE
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00E9004A
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00E90FA8
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [09, 89]
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80053
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80042
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80027
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FD2
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\lsass.exe[588] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C1006F
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C10054
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C10F86
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C10F97
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C10039
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C1009B
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C10F55
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C10F1D
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C10F38
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C100C7
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C10FB2
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C10080
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C10FDE
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C100AC
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F7C
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C0001E
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00C00F8D
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00C0002F
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00C00FB2
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0FAD
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF002E
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF001D
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FC8
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF000C
.text C:\WINDOWS\system32\svchost.exe[760] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00870000
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00870F74
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00870F85
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00870FA2
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0087005F
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0087003D
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00870F34
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00870F4F
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008700CD
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008700B2
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00870F19
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0087004E
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00870FE5
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0087007A
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0087002C
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0087001B
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008700A1
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00860FCA
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00860F68
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00860FDB
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0086001B
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00860F79
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00860000
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00860F9E
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [A6, 88]
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00860FB9
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00850FA8
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!system 77C293C7 5 Bytes JMP 00850FB9
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00850FD4
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0085000C
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00850033
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[824] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0084000A
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 024D0FEF
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 024D007B
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 024D0F90
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 024D006A
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 024D0FA1
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 024D0FB2
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 024D0F55
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 024D009D
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 024D00E7
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 024D00CC
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 024D0F33
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 024D0043
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 024D0014
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 024D008C
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 024D0FCD
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 024D0FDE
.text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 024D0F44
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024B0FCA
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024B0076
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024B001B
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024B000A
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 024B0065
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 024B0FEF
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 024B0040
.text C:\WINDOWS\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 024B0FB9
.text C:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 024A0FAB
.text C:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 024A0FBC
.text C:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 024A0011
.text C:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 024A0FE3
.text C:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 024A0022
.text C:\WINDOWS\System32\svchost.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 024A0000
.text C:\WINDOWS\System32\svchost.exe[888] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0248000A
.text C:\WINDOWS\System32\svchost.exe[888] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 024C0000
.text C:\WINDOWS\System32\svchost.exe[888] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 024C0011
.text C:\WINDOWS\System32\svchost.exe[888] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 024C0FD1
.text C:\WINDOWS\System32\svchost.exe[888] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 024C0FC0
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00280FEF
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00280067
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00280056
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00280045
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00280F7C
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00280FA8
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00280F3C
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00280084
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00280F06
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00280F21
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 002800B0
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00280F97
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00280FDE
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00280F57
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0028001E
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00280FCD
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0028009F
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0027001E
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00270F72
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00270FCD
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00270FDE
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00270F83
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00270FEF
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00270FA8
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [47, 88]
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0027002F
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0026000C
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00260F8B
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00260FB7
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00260FE3
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00260F9C
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00260FD2
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00790F68
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00790F79
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00790F8A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00790FAC
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00790F30
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00790078
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00790EFA
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00790F0B
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00790EE9
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00790F9B
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00790011
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00790F4D
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00790FC7
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00790022
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00790089
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780FCA
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780058
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00780047
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [98, 88]
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0078002C
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770050
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 0077003F
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0077001D
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FE3
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0077002E
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0076000A
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00190FEF
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00190049
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00190038
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00190F5E
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0019001B
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00190F94
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00190F23
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0019006B
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001900B5
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00190090
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00190EF7
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00190F83
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00190FCA
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0019005A
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00190FA5
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00190000
.text C:\WINDOWS\System32\svchost.exe[1132] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00190F12
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00270FD1
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0027005F
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00270022
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00270011
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0027004E
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00270000
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00270FAC
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [47, 88]
.text C:\WINDOWS\System32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0027003D
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0028003F
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 0028002E
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00280FD9
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00280000
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00280FBE
.text C:\WINDOWS\System32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00280011
.text C:\WINDOWS\System32\svchost.exe[1132] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 005B0000
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00810F8B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00810080
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0081006F
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00810FB2
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00810039
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008100AC
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0081009B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008100E9
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008100CE
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00810F35
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0081005E
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00810014
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00810F7A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00810FCD
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00810FDE
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008100BD
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0080002F
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800FA5
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0080006C
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00800051
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00800040
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0FA6
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F003B
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FD2
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FC1
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00980F65
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0098005A
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00980F80
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00980033
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00980011
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00980088
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00980077
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00980EF9
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00980F0A
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009800B7
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00980022
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00980FD4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00980F40
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00980FA5
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00980F1B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00970FB9
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00970F83
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00970FCA
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00970040
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00970025
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00970F9E
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007D0FC3
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 007D0044
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007D0018
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007D0029
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007D0FDE
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 014E0000
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 014E009E
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 014E0079
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 014E0FAB
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 014E0FBC
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 014E0FDE
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 014E00C0
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 014E0F84
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 014E0F67
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 014E00F6
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 014E0F4C
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 014E0FCD
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 014E0FEF
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 014E00AF
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 014E0040
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 014E0025
.text C:\WINDOWS\Explorer.EXE[1356] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 014E00DB
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014C001B
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014C004A
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014C000A
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014C0FCA
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 014C0F97
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 014C0FEF
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 014C0FA8
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [6C, 89]
.text C:\WINDOWS\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 014C0FB9
.text C:\WINDOWS\Explorer.EXE[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01340069
.text C:\WINDOWS\Explorer.EXE[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 0134004E
.text C:\WINDOWS\Explorer.EXE[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01340FDE
.text C:\WINDOWS\Explorer.EXE[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01340FEF
.text C:\WINDOWS\Explorer.EXE[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0134003D
.text C:\WINDOWS\Explorer.EXE[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0134000C
.text C:\WINDOWS\Explorer.EXE[1356] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 014D0000
.text C:\WINDOWS\Explorer.EXE[1356] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 014D0FE5
.text C:\WINDOWS\Explorer.EXE[1356] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 014D0FD4
.text C:\WINDOWS\Explorer.EXE[1356] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 014D0FC3
.text C:\WINDOWS\Explorer.EXE[1356] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00760090
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0076007F
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760FA5
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00760058
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00760036
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007600BC
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007600AB
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00760103
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007600E8
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00760F59
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00760047
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0076000A
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00760F80
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00760FCA
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007600CD
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00520FA8
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00520F7C
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00520FB9
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00520FCA
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00520F97
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00520FE5
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00520039
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0052001E
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0051004E
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00510FC3
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00510022
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00510FEF
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0051003D
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00510FDE
.text C:\WINDOWS\system32\svchost.exe[1784] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00530000
.text C:\WINDOWS\system32\svchost.exe[1784] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00530011
.text C:\WINDOWS\system32\svchost.exe[1784] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00530022
.text C:\WINDOWS\system32\svchost.exe[1784] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00530FC7
.text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00500FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[2824] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61139C3F] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 37acc36.sys

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip 37acc36.sys

Device \Driver\MPFP \Device\MPFP 37acc36.sys

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp 37acc36.sys
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp 37acc36.sys
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp 37acc36.sys
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\37acc36.sys (*** hidden *** ) [SYSTEM] 37acc36 <-- ROOTKIT !!!
Service system32\drivers\UACkxfonwej.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \SystemRoot\System32\drivers\37acc36.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\UACkxfonwej.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACkxfonwej.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACiffccilu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACkvtrufyt.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACapqnkprp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACkixbuxwh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACrjwqnxwk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UAClvdqybne.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfypojatm.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACdrvklkjo.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACqqpxwxll.dll
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \SystemRoot\System32\drivers\37acc36.sys
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\UACkxfonwej.sys
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACkxfonwej.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACiffccilu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACkvtrufyt.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACapqnkprp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACkixbuxwh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACrjwqnxwk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UAClvdqybne.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfypojatm.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACdrvklkjo.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACqqpxwxll.dll

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----
  • 0

#6
kamieo
Posted 02 June 2009 - 10:01 AM

kamieo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Error: Unable to interpret <:OTL> in the current context!
Error: Unable to interpret <O4 - HKLM..\Run: [sysfbtray] c:\windows\freddy43.exe File not found> in the current context!
Error: Unable to interpret <O4 - HKLM..\Run: [sysmstray] c:\windows\mstre19.exe File not found> in the current context!
Error: Unable to interpret <O4 - HKLM..\Run: [winlogon.exe] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe (ReFog Software)> in the current context!
Error: Unable to interpret <O4 - HKCU..\Run: [] C:\Documents and Settings\Owner\.exe /i File not found> in the current context!
Error: Unable to interpret <O4 - HKCU..\Run: [rundll32.exe] "C:\Documents and Settings\Owner\Application Data\Macromedia\Common\1e6540261.dll"" File not found> in the current context!
Error: Unable to interpret <O32 - Autorun File - D:\Autorun.inf () - [ FAT32 ]> in the current context!
Error: Unable to interpret <O32 - Autorun File - D:\autorun.inf () - [ FAT32 ]> in the current context!
Error: Unable to interpret <O32 - Autorun File - J:\autorun [2008/07/22 14:51:26 00,000,000 | ---D | M] - [ FAT32 ]> in the current context!
Error: Unable to interpret <O32 - Autorun File - J:\autorun.inf () - [ FAT32 ]> in the current context!
Error: Unable to interpret <[2009/05/21 22:18:29 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2739f44.dat> in the current context!
Error: Unable to interpret <[2009/05/21 22:18:27 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2712f44.dat> in the current context!
Error: Unable to interpret <[2009/05/21 09:33:01 | 00,000,001 | ---- | C] () -- C:\WINDOWS\9g2234wesdf3dfgjf23> in the current context!
Error: Unable to interpret <[2009/05/21 09:33:00 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2730f44.dat> in the current context!
Error: Unable to interpret <[2009/05/17 23:05:30 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\f5087.dat> in the current context!
Error: Unable to interpret <[2009/05/17 18:18:59 | 00,001,157 | -H-- | C] () -- C:\WINDOWS\ms49f4d98.dat> in the current context!
Error: Unable to interpret <[2009/05/17 14:28:01 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3192f44.dat> in the current context!
Error: Unable to interpret <[2009/05/17 14:28:01 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\msmark2.dat> in the current context!
Error: Unable to interpret <[2009/05/17 14:27:59 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\f23567.dat> in the current context!
Error: Unable to interpret <[2009/05/17 14:27:58 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3165f44.dat> in the current context!
Error: Unable to interpret <[2009/05/17 12:27:56 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3189f44.dat> in the current context!
Error: Unable to interpret <[2009/05/14 14:09:44 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2695f44.dat> in the current context!
Error: Unable to interpret <[2009/05/14 14:09:39 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2668f44.dat> in the current context!
Error: Unable to interpret <[2009/05/14 11:45:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242345189.exe> in the current context!
Error: Unable to interpret <[2009/05/14 11:45:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242326761.exe> in the current context!
Error: Unable to interpret <[2009/05/14 11:35:24 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2692f44.dat> in the current context!
Error: Unable to interpret <[2009/05/14 11:34:54 | 00,000,145 | --S- | C] () -- C:\WINDOWS\System32\2149968076.dat> in the current context!
Error: Unable to interpret <[2009/05/14 11:34:46 | 00,048,640 | RHS- | C] () -- C:\WINDOWS\System32\adsldpy.exe> in the current context!
Error: Unable to interpret <[2009/06/02 00:36:25 | 00,095,936 | ---- | M] () -- C:\WINDOWS\System32\drivers\37acc36.sys> in the current context!
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\fb_2120.lck scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_b08.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\WCESLog.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFB2C0.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\fb_1940.lck scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_8BStVIHKkwXSccb scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_E33KhjoIdJUYyMl scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_IJ6ccHLXuPLf1QZ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_KFa4kHcV6Rg59SN scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_PStACzgweT239fd scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bf4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.3.2 log created on 06022009_085054

Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\fb_2120.lck not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_b08.dat not found!
C:\Documents and Settings\Owner\Local Settings\Temp\WCESLog.log moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E2.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFB2C0.tmp moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\fb_1940.lck not found!
File C:\WINDOWS\temp\mcmsc_8BStVIHKkwXSccb not found!
File C:\WINDOWS\temp\mcmsc_E33KhjoIdJUYyMl not found!
File C:\WINDOWS\temp\mcmsc_IJ6ccHLXuPLf1QZ not found!
File C:\WINDOWS\temp\mcmsc_KFa4kHcV6Rg59SN not found!
File C:\WINDOWS\temp\mcmsc_PStACzgweT239fd not found!
C:\WINDOWS\temp\Perflib_Perfdata_bf4.dat moved successfully.

Registry entries deleted on Reboot...
  • 0

#7
kamieo
Posted 02 June 2009 - 10:04 AM

kamieo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I tried downloading combofix from all three links my mcfee said there was a trojan attached
  • 0

#8
kahdah
Posted 02 June 2009 - 11:50 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
First Combofix is not a trojan you need to disable any protection before running combofix.
But first do this part again:
Then disable Mcafee and run Combofix.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTLi
O4 - HKLM..\Run: [sysfbtray] c:\windows\freddy43.exe File not found
O4 - HKLM..\Run: [sysmstray] c:\windows\mstre19.exe File not found
O4 - HKLM..\Run: [winlogon.exe] C:\Documents and Settings\Owner\My Documents\My Received Files\My Torrents\winlogon.exe (ReFog Software)
O4 - HKCU..\Run: [] C:\Documents and Settings\Owner\.exe /i File not found
O4 - HKCU..\Run: [rundll32.exe] "C:\Documents and Settings\Owner\Application Data\Macromedia\Common\1e6540261.dll"" File not found
O32 - Autorun File - D:\Autorun.inf () - [ FAT32 ]
O32 - Autorun File - D:\autorun.inf () - [ FAT32 ]
O32 - Autorun File - J:\autorun [2008/07/22 14:51:26 00,000,000 | ---D | M] - [ FAT32 ]
O32 - Autorun File - J:\autorun.inf () - [ FAT32 ]
[2009/05/21 22:18:29 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2739f44.dat
[2009/05/21 22:18:27 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2712f44.dat
[2009/05/21 09:33:01 | 00,000,001 | ---- | C] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/05/21 09:33:00 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2730f44.dat
[2009/05/20 16:31:33 | 16,859,2911 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Adobe Photoshop 7.0_for PC_with serial.zip
[2009/05/17 23:05:30 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\f5087.dat
[2009/05/17 18:18:59 | 00,001,157 | -H-- | C] () -- C:\WINDOWS\ms49f4d98.dat
[2009/05/17 14:28:01 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3192f44.dat
[2009/05/17 14:28:01 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\msmark2.dat
[2009/05/17 14:27:59 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\f23567.dat
[2009/05/17 14:27:58 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3165f44.dat
[2009/05/17 12:27:56 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft3189f44.dat
[2009/05/14 14:09:44 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2695f44.dat
[2009/05/14 14:09:39 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2668f44.dat
[2009/05/14 11:45:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242345189.exe
[2009/05/14 11:45:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\st_1242326761.exe
[2009/05/14 11:35:24 | 00,000,002 | -H-- | C] () -- C:\WINDOWS\t55ft2692f44.dat
[2009/05/14 11:34:54 | 00,000,145 | --S- | C] () -- C:\WINDOWS\System32\2149968076.dat
[2009/05/14 11:34:46 | 00,048,640 | RHS- | C] () -- C:\WINDOWS\System32\adsldpy.exe
[2009/06/02 00:36:25 | 00,095,936 | ---- | M] () -- C:\WINDOWS\System32\drivers\37acc36.sys

:Commands
[emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP