Jump to content

Welcome Guest to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Feel free to browse the site as a guest. However, you must log in to reply to existing topics or start a new topic of your own, and enjoy all this forum has to offer. Additionally, if you can assist another member by sharing your knowledge, please post a reply! Best of all - Registration and all assistance, is FREE! Learn more about How it Works. Infected? Malware Cleaning Guide. What are you waiting for?
Create an Account Login to Account

Google Redirect + unable to run Hijackthis [Solved]


  • This topic is locked This topic is locked

#1
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Hi, thank god I found this forum. I have gotten the Google redirect as well and after going through this forum, I downloaded HJT and run it to post the log file here. After intalling, the first screen did comes up and I chose to 'scan & save log file'. After I've clicked the button, nothing happen, the screen just go away. I tried running HJT again and a popup screen says 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.' I am log in as adminstrator already. Can someone help? What can I do?
Thx
  • 0

Similar Topics: Google Redirect + unable to run Hijackthis [Solved]     x


#2
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
Hello there :) Welcome to the GeeksToGo forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me. I am still a student here, and as such I will have to have all my responses checked by a malware removal expert before I post them here.

Please note the following:
  • The fixes are specific to your problem and should only be used on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
  • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

I will be back with instructions for you shortly.
  • 0

#3
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
Alright. Let's see how bad your infection is. Please do the following:

STEP 1

Please download and run ad13's win32ksys to your desktop
A black window will appear, let this run
On completion a log will appear on your desktop called Win32kDiag.txt please post this in your next reply.

STEP 2

Download GMER.exe. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

STEP 3

OTL scan:

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Underneath Extra Registry at the lower left change it to Use SafeList.
  • Under the Custom scans/Fixes box paste this in.

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\eventlog.dll
    %systemroot%\system32\scecli.dll
    %systemroot%\netlogon.dll
    %systemroot%\system32\cngaudit.dll
    %systemroot%\system32\sceclt.dll
    %systemroot%\ntelogon.dll
    %systemroot%\system32\logevent.dll



  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

  • 0

#4
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Hi Neonfx, thank you for your help. An update to the problem.
1) I am now unable to run my antivirus program to do a full scan. it still go and get updates but won't run if I choose it to. It just sits there.
2) The redirection can also happen if I open a new tab within IE and type in a URL.

Now with the results. I have done the 3 setps as instructed and encountered coupleof problems.
Step 1 - OK
Step 2 - It crashes my computer half way through the first time I run the scan. A blue screen came up and says 'PFN_List_Corrupt'. I rebooted the machine and run it again. This time it run OK.
Step 3 - After downloading OTL and run it, the screen did comes up. I did everything and run scan. It started the scan and the windowjust goes away and nothing happen. The computer just sit there. So I try double clicking OTL away and still nothing happen. I reboot the machine and run OTL again and this time it says 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.'

I'm going to post the results from step 1 & 2 in the next post.
  • 0

#5
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Step 1 Win32kDiag.txt

Log file is located at: C:\Documents and Settings\Alfred\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\WPD\WPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Logs\Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1292428093-1450960922-725345543-1003\S-1-5-21-1292428093-1450960922-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 20:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 20:00:00 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 20:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\TestEngDat64\TestEngDat64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^



Finished!

Step 2 Results.log

GMER 1.0.15.15077 [jer6w8x2.exe] - http://www.gmer.net
Rootkit scan 2009-09-01 11:13:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8AB657B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8AB64FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8AB65A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8AB650F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8AB653B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8AB65CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA8AB64E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8AB658F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA8AB6525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8AB6551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8AB6567]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8AB65E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8AB65B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AB0 7 Bytes JMP A8AB65BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F8E 5 Bytes JMP A8AB657F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E36 7 Bytes JMP A8AB65D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C44 5 Bytes JMP A8AB65E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7216 7 Bytes JMP A8AB6593 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF26 5 Bytes JMP A8AB65A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D167A 5 Bytes JMP A8AB656B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620C3E 7 Bytes JMP A8AB6555 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FA4 7 Bytes JMP A8AB6529 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8062257E 5 Bytes JMP A8AB64FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A0E 7 Bytes JMP A8AB6513 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622BDE 7 Bytes JMP A8AB653F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623914 5 Bytes JMP A8AB64EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00750FE5
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00750082
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0075005D
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00750F83
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00750040
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00750FB9
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00750F61
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00750F72
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00750F35
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00750F46
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007500E9
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00750F9E
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0075009D
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00750025
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00750FD4
.text C:\WINDOWS\system32\svchost.exe[360] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007500C4
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00740FC0
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0074005B
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00740011
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00740F94
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00740FA5
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[360] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0074002C
.text C:\WINDOWS\system32\svchost.exe[360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00730F9A
.text C:\WINDOWS\system32\svchost.exe[360] msvcrt.dll!system 77C293C7 5 Bytes JMP 00730FAB
.text C:\WINDOWS\system32\svchost.exe[360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0073001B
.text C:\WINDOWS\system32\svchost.exe[360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00730000
.text C:\WINDOWS\system32\svchost.exe[360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00730FBC
.text C:\WINDOWS\system32\svchost.exe[360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00730FE3
.text C:\WINDOWS\system32\svchost.exe[360] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00720FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 015D0FE5
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 015D0F59
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 015D0F7E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 015D0F8F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 015D0058
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 015D0047
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 015D0097
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 015D007A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 015D00CD
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 015D00BC
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 015D0F23
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 015D0FC0
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 015D0000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 015D0069
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 015D002C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 015D001B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 015D0F3E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 015C0FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 015C0F8D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 015C0025
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 015C0FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 015C0040
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 015C0FA8
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 015C0000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 015C0FC3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015B0FA1
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] msvcrt.dll!system 77C293C7 5 Bytes JMP 015B0FBC
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015B001B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015B0000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015B0036
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015B0FE3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[516] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F10000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CF0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CF00AB
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CF009A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CF007F
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CF0058
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CF0FB6
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CF00D7
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CF00C6
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CF011E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CF0103
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CF0F6A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CF003D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CF001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CF0F9B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CF002C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CF0FDB
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CF00E8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00CE0FCA
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00CE0F72
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00CE0FE5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00CE001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00CE0F8D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00CE0F9E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00CE0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00CE0FB9
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0053
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FC8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FE3
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0042
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD001D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[844] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EA0FA3
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EA0FBE
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EA0098
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EA0087
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EA0F86
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EA00CE
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EA0F49
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EA0F5A
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00EA0F38
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00EA0076
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00EA0025
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00EA00B3
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00EA0047
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00EA0F6B
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E9006C
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E9005B
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80050
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E8003F
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E8001D
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E8002E
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80FE3
.text C:\WINDOWS\system32\svchost.exe[852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E70FEF
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01060FEF
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01060F70
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01060F81
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0106005B
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0106004A
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01060025
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01060F27
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01060F38
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 010600A5
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01060F0C
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 010600B6
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01060F9E
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01060FDE
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01060F55
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01060FB9
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01060014
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0106008A
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0105002F
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01050076
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01050FD4
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01050FE5
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01050FB9
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01050065
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01050000
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01050040
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01040F90
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] msvcrt.dll!system 77C293C7 5 Bytes JMP 01040FA1
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01040FC6
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01040000
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01040011
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01040FE3
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[864] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070F97
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0007008C
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000700CE
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070F86
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700E9
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070F50
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 000700FA
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 000700B1
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070F6B
.text C:\WINDOWS\system32\services.exe[980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050070
.text C:\WINDOWS\system32\services.exe[980] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005005F
.text C:\WINDOWS\system32\services.exe[980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050044
.text C:\WINDOWS\system32\services.exe[980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00060080
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00060065
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[980] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01050F6D
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01050F7E
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01050F99
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01050062
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01050FCA
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 010500A4
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01050093
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01050F15
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01050F26
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01050EFA
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01050051
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01050F5C
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01050036
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01050025
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01050F41
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FA4
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FC6
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FB5
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DB0076
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DB0065
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DB0F81
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DB0F9E
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DB0FB9
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DB0F4B
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DB0F66
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DB00B8
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DB0F29
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00DB0EFA
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00DB0040
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00DB001B
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00DB0087
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00DB0F3A
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DA0014
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DA0039
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DA0F7C
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DA0F97
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DA0FA8
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90FB7
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D9004C
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90FE3
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90FD2
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90011
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A50F61
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A50F72
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A5004A
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A50F8D
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A50025
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A50082
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A50071
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A500AE
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A5009D
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A500BF
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A50F9E
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A50F46
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A50F1F
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A40FAF
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A40F79
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A40036
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A40F94
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30044
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30033
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FC3
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1232] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 024F0FEF
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 024F0F55
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 024F0F66
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 024F0F77
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 024F0F94
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 024F002C
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 024F008A
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 024F0F38
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 024F00C0
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 024F00A5
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 024F00D1
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 024F0FA5
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 024F0FD4
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 024F006F
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 024F001B
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 024F000A
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 024F0F27
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02310040
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02310FA5
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02310FE5
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0231001B
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02310FC0
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02310062
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0231000A
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02310051
.text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1284] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1284] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02140FCA
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 0214005F
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02140FE5
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0214000C
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0214003A
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02140029
.text C:\WINDOWS\System32\svchost.exe[1284] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01D60000
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 024E0FEF
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 024E000A
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 024E001B
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 024E002C
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009000A1
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00900090
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00900073
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00900062
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0090003D
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009000ED
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00900F9B
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00900119
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00900108
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0090012A
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00900FB6
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009000BC
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00900FDB
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00900F8A
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008F0040
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008F006C
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008F0FE5
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008F001B
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008F005B
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008F0FB9
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008F0FD4
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008E0F90
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!system 77C293C7 5 Bytes JMP 008E0FAB
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008E0FC6
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008E001B
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008E0FE3
.text C:\WINDOWS\system32\svchost.exe[1728] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B9007D
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B90F88
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B90062
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B90FA5
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B90FC0
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B900A9
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B90098
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B90F2B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B90F46
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B90F1A
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B90047
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B90F6D
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B90FD1
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B90022
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B900BA
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B70F72
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B70F9E
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[1836] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1836] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1836] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60058
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60047
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FD7
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6002C
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00B80014
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B005E
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F5F
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0F70
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B007B
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F33
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0EEC
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0EFD
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0096
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F4E
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3120] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0F0E
.text C:\WINDOWS\system32\wuauclt.exe[3120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FA4
.text C:\WINDOWS\system32\wuauclt.exe[3120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FB5
.text C:\WINDOWS\system32\wuauclt.exe[3120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FC6
.text C:\WINDOWS\system32\wuauclt.exe[3120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FE3
.text C:\WINDOWS\system32\wuauclt.exe[3120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290025
.text C:\WINDOWS\system32\wuauclt.exe[3120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A003D
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A007D
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0062
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\wuauclt.exe[3120] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\system32\wuauclt.exe[3120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 003C0FEF
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3136] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3136] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3136] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3136] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B009D
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0FB2
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0080
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00C9
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0106
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00F5
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0117
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B00AE
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[3616] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B00E4
.text C:\WINDOWS\system32\wuauclt.exe[3616] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FAD
.text C:\WINDOWS\system32\wuauclt.exe[3616] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FC8
.text C:\WINDOWS\system32\wuauclt.exe[3616] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029001D
.text C:\WINDOWS\system32\wuauclt.exe[3616] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\wuauclt.exe[3616] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290038
.text C:\WINDOWS\system32\wuauclt.exe[3616] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 003B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 003B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 003B000A
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 003B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 003B0054
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 003B0FB2
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 003B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3616] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 003B002F

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[1284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01572EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01572C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01572C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01572C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\svchost.exe[1836] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1836] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
IAT C:\WINDOWS\system32\ctfmon.exe[2552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009D2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[2552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009D2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[2552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009D2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[2552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009D2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[2984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[2984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[2984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[2984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003A2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003A2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003A2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003A2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A62EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A62C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A62C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A62C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C22EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C22C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C22C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C22C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01322EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01322C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01322C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01322C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3176] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F52EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3176] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F52C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3176] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F52C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3176] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F52C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BA2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BA2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BA2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BA2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F92EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F92C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F92C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F92C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3356] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00EB2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3356] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00EB2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3356] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00EB2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3356] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00EB2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AD2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AD2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AD2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AD2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[3616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[3616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[3616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[3616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00992EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00992C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00992C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00992C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[3956] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[3956] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[3956] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[3956] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AC2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AC2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AC2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AC2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [212] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [516] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [560] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [852] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe [864] 0x026B0000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1232] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1836] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2360] 0x35670000
Library \\?\globalroot\Device\__max++>\51FFF6C6.x86.dll (*** hidden *** ) @ C:\Program Files\MSN Messenger\msnmsgr.exe [3136] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501@001b52f99c19 0xD2 0x8E 0x05 0xBD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501@0036593195b7 0x2D 0xB0 0xA8 0x10 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501@0017d5b64bea 0x79 0xB0 0x84 0x93 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501@001b52f99c19 0xD2 0x8E 0x05 0xBD ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501@0036593195b7 0x2D 0xB0 0xA8 0x10 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501@0017d5b64bea 0x79 0xB0 0x84 0x93 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----
  • 0

#6
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
Thank you for your patience :) Please do the following:

NOTE: This is long. If you have trouble at any point, STOP and let me know.

Note:

You will notice that some programs will encounter the same error that OTL did this last time you ran it.

For the programs that don't want to run please do the following

Download this program

Drag each of the .exe files that you are unable to run and drop them onto Inherit.exe.

Then wait for it to say "OK". The programs should run fine after doing that.



STEP 1

Please delete your version of Win32kDiag.exe and redownload it from HERE

Make sure win32kdiag.exe is on your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag_f_r.txt on your desktop. Please open it with notepad and post the contents here.

STEP 2

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.



STEP 3

Reboot your computer and then Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------



    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.



STEP 4

Run GMER again.

  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.


STEP 5

  • Run OTL again.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under the Extra Registry box change it to Use SafeList if it is not selected.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.txt and Extras.Txt. These are saved in the same location as OTL.exe.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  • 0

#7
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Hi Neonfx, I've done all 5 steps. Step 4 crashes my computer twice before succeeding on the 3rd go. Results

Step 1 - Win32kDiag.txt
Log file is located at: C:\Documents and Settings\Alfred\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\WPD\WPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\WPD\WPD

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\Logs\Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Logs\Logs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1292428093-1450960922-725345543-1003\S-1-5-21-1292428093-1450960922-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1292428093-1450960922-725345543-1003\S-1-5-21-1292428093-1450960922-725345543-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 20:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 20:00:00 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 20:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\TestEngDat64\TestEngDat64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\TestEngDat64\TestEngDat64

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05



Finished!

Step 2 - avenger.txt

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Step 3 - ComboFix.txt

ComboFix 09-09-01.04 - Alfred 02/09/2009 12:55.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.607 [GMT 10:00]
Running from: c:\documents and settings\Alfred\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\Install.inf
c:\windows\system32\drivers\1028_DELL_XPS_MXC062 .MRK
c:\windows\system32\drivers\DELL_XPS_MXC062 .MRK
c:\windows\system32\kbiwkmpkiltehy.dat
c:\windows\system32\kbiwkmwemovmyc.dll
c:\windows\system32\net.net

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 01:33 . 2009-09-02 01:33 -------- d-----w- c:\program files\DVD Decrypter
2009-09-02 01:16 . 2009-09-02 01:16 -------- d-----w- c:\program files\DVDx
2009-09-01 00:49 . 2009-09-01 00:49 288768 ----a-w- C:\jer6w8x2.exe
2009-08-31 11:39 . 2009-08-31 11:39 -------- d-----w- c:\program files\Trend Micro
2009-08-30 03:34 . 2009-09-02 01:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-30 02:43 . 2009-08-30 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-30 02:42 . 2009-08-30 02:42 -------- d-----w- c:\program files\Common Files\iS3
2009-08-30 02:42 . 2009-08-30 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-20 12:08 . 2009-08-20 12:13 -------- d-----w- c:\documents and settings\Alfred\Application Data\dvdcss
2009-08-12 05:40 . 2009-09-01 21:53 -------- d-----w- c:\documents and settings\Alfred\Application Data\vlc
2009-08-06 13:25 . 2009-08-06 13:25 -------- d-----w- c:\documents and settings\Alfred\Application Data\Media Player Classic
2009-08-06 07:12 . 2001-08-23 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-08-06 07:12 . 2001-08-23 12:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2009-08-06 07:12 . 2001-08-23 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0404.dll
2009-08-06 07:12 . 2001-08-23 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-08-06 06:52 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-08-06 06:52 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-08-06 06:52 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-08-06 06:52 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-08-06 06:52 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-08-06 06:52 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 02:37 . 2007-05-29 03:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-01 01:14 . 2007-06-04 02:31 68728 ----a-w- c:\documents and settings\Alfred\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 04:11 . 2007-06-18 11:57 -------- d-----w- c:\documents and settings\Alfred\Application Data\Ahead
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-13 488984]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 255528]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"masqform.exe"="c:\program files\IBM\Workplace Forms\Viewer\2.7\masqform.exe" [2007-03-19 946176]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AMP Illustrations plus Update Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AMP Illustrations plus Update Manager.lnk
backup=c:\windows\pss\AMP Illustrations plus Update Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 MSSQL$IWBDB;MSSQL$IWBDB;c:\msde\Binn\MSSQL$IWBDB\Binn\sqlservr.exe -sIWBDB --> c:\msde\Binn\MSSQL$IWBDB\Binn\sqlservr.exe -sIWBDB [?]
S3 SQLAgent$IWBDB;SQLAgent$IWBDB;c:\msde\Binn\MSSQL$IWBDB\Binn\sqlagent.EXE -i IWBDB --> c:\msde\Binn\MSSQL$IWBDB\Binn\sqlagent.EXE -i IWBDB [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [1/10/2006 10:37 PM 26624]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-net - c:\windows\system32\net.net


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: iress.com.au\xplan2
DPF: {53D40FAA-4E21-459F-AA87-E4D97FC3245A} - hxxps://secure.mwt.com.au/installations/full/2767/setup.exe
DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab
DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} - hxxps://secure.mwt.com.au/installations/full/2724/setup.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 13:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\msde\Binn\MSSQL$IWBDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-02 13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 03:05

Pre-Run: 51,105,529,856 bytes free
Post-Run: 51,301,388,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

173 --- E O F --- 2008-12-18 07:06
  • 0

#8
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Step 4 - Results.log

GMER 1.0.15.15077 [jer6w8x2.exe] - http://www.gmer.net
Rootkit scan 2009-09-02 13:35:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8EE457B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8EE44FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8EE45A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8EE450F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8EE453B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8EE45CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA8EE44E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8EE458F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA8EE4525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8EE4551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8EE4567]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8EE45E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8EE45B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AB0 7 Bytes JMP A8EE45BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F8E 5 Bytes JMP A8EE457F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E36 7 Bytes JMP A8EE45D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C44 5 Bytes JMP A8EE45E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7216 7 Bytes JMP A8EE4593 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF26 5 Bytes JMP A8EE45A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D167A 5 Bytes JMP A8EE456B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620C3E 7 Bytes JMP A8EE4555 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FA4 7 Bytes JMP A8EE4529 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8062257E 5 Bytes JMP A8EE44FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A0E 7 Bytes JMP A8EE4513 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622BDE 7 Bytes JMP A8EE453F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623914 5 Bytes JMP A8EE44EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00750078
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00750F83
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00750F94
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00750FA5
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00750FDB
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00750F32
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00750F4D
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00750EFC
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00750F17
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007500B0
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00750FC0
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0075001B
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00750F5E
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00750047
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0075002C
.text C:\WINDOWS\system32\svchost.exe[640] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00750095
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0074001E
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00740F9E
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00740FCD
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00740FDE
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00740065
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0074004A
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[640] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00740039
.text C:\WINDOWS\system32\svchost.exe[640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00730027
.text C:\WINDOWS\system32\svchost.exe[640] msvcrt.dll!system 77C293C7 5 Bytes JMP 00730F9C
.text C:\WINDOWS\system32\svchost.exe[640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00730FC8
.text C:\WINDOWS\system32\svchost.exe[640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00730000
.text C:\WINDOWS\system32\svchost.exe[640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00730FB7
.text C:\WINDOWS\system32\svchost.exe[640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00730FE3
.text C:\WINDOWS\system32\svchost.exe[640] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00720FE5
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01650000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01650089
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01650F94
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01650062
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01650FA5
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01650FC0
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 016500B7
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01650F6F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01650F4D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01650F5E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01650F32
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01650047
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01650FDB
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0165009A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0165002C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01650011
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 016500D2
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01640FB2
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01640F8D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01640FC3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01640FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01640054
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01640039
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01640FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0164001E
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01630FAD
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 01630038
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01630027
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01630FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01630FC8
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0163000C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[768] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070F70
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070065
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070F97
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070080
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700B6
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070F1D
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 000700C7
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00070F55
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[992] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070F2E
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FB2
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FCD
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00060F9B
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00060FAC
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[992] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CA0089
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CA006E
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CA005D
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CA0040
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CA00A4
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CA0F5C
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CA0F30
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CA0F41
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CA0F0B
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CA0F79
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\lsass.exe[1004] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CA00BF
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C90065
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\lsass.exe[1004] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80F9A
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80FAB
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FC6
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80011
.text C:\WINDOWS\system32\lsass.exe[1004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\lsass.exe[1004] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D70093
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D70082
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D7005B
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D7004A
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D70FAF
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D70F8D
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D700C9
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D70F46
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D70F61
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00D700FA
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00D70F9E
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00D700AE
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00D70FC0
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00D70F72
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D60036
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D60051
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D60F94
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D60FAF
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50044
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50029
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D5000C
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A50078
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A50067
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A50F83
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A50F94
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A50F4B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A50093
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A500B5
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A500A4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A500DA
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A50014
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A50F72
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A50036
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A50025
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A50F26
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A40051
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A40FB6
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A40073
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A40FD1
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A40062
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30F95
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30FB0
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30FD2
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30FE3
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FC1
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FEF
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01060FE5
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01060062
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01060F6D
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01060051
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01060036
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01060014
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0106008E
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01060F52
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01060F21
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 010600BA
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 010600DF
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01060025
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01060FD4
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01060073
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01060FA8
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01060FC3
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0106009F
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0105002C
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01050F8D
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01050FDB
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01050011
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01050F9E
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01050FB9
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01050000
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01050FCA
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01040F90
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] msvcrt.dll!system 77C293C7 5 Bytes JMP 01040011
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01040FC6
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01040FEF
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01040FAB
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01040000
.text C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe[1276] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0103000A
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02D10FEF
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02D10065
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02D1004A
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02D10F70
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02D10039
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02D10FA8
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02D10082
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02D10F3A
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02D100A4
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02D10093
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02D100B5
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02D10F8D
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02D10FD4
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02D10F4B
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02D10FB9
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02D1000A
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02D10F1F
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02440FA8
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02440039
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02440FC3
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02440FD4
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02440F86
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02440028
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02440FEF
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02440F97
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01CC0F89
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 01CC0F9A
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01CC0FC6
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01CC0FEF
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01CC0FAB
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01CC0000
.text C:\WINDOWS\System32\svchost.exe[1368] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01CA0000
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02D00FE5
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02D00000
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02D00FCA
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02D00025
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CF0FE5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CF004C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CF0F57
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CF0F72
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CF0F8D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CF0F9E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CF0F2B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CF0F3C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CF0098
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CF0EFF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CF0EE4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CF002F
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CF0FD4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CF0067
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CF000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CF0FB9
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CF0F1A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00CE0036
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00CE0098
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00CE001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00CE0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00CE0073
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00CE0062
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00CE000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00CE0047
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB9
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0044
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FD4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD000C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0033
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1568] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E60076
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E6005B
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E6004A
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E60039
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E60FB2
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E600A2
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E60091
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E600E2
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E60F3F
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E600F3
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E60F97
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E60F66
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E60014
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E600B3
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E50FC0
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E50073
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E50058
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E5003D
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E5002C
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40FAB
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40FC6
.text C:\WINDOWS\system32\svchost.exe[1816] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A80093
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A80F9E
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A8006C
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80FDB
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A800DC
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A800BF
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A8011C
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A80F83
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A80F72
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A8001B
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A800AE
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A80047
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A8002C
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A800F7
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A70025
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A70F86
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A70014
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A70FDE
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A70F97
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A70FB2
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FB4
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A6003F
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A6001D
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A6000C
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A6002E
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1848] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AD0091
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AD006C
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AD0F9E
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AD005B
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AD002F
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AD0F50
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AD00A2
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AD0F1A
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AD00B3
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00AD00CE
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00AD004A
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00AD0F81
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00AD0014
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00AD0FC3
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00AD0F35
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00AB0FCA
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00AB0F94
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00AB0011
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00AB005B
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00AB0FB9
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00AB0040
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA006B
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0050
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA002E
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA003F
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0011
.text C:\WINDOWS\system32\svchost.exe[2008] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[2008] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[2008] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[2008] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[2008] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00AC0040
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0093
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F94
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F61
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F72
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F46
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00DF
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0F35
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[2180] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B00C4
.text C:\WINDOWS\system32\wuauclt.exe[2180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FD2
.text C:\WINDOWS\system32\wuauclt.exe[2180] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290053
.text C:\WINDOWS\system32\wuauclt.exe[2180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290027
.text C:\WINDOWS\system32\wuauclt.exe[2180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\wuauclt.exe[2180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290042
.text C:\WINDOWS\system32\wuauclt.exe[2180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0F79
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0F8A
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2180] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\wuauclt.exe[2180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0062
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0F94
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F21
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F48
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00BA
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B009F
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0F06
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0FA5
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0073
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2908] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0084
.text C:\WINDOWS\system32\wuauclt.exe[2908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FB7
.text C:\WINDOWS\system32\wuauclt.exe[2908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290042
.text C:\WINDOWS\system32\wuauclt.exe[2908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290016
.text C:\WINDOWS\system32\wuauclt.exe[2908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\wuauclt.exe[2908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290027
.text C:\WINDOWS\system32\wuauclt.exe[2908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0054
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0F8D
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[2908] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0FB9
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3272] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [015A2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [015A2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [015A2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [015A2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[2172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[2172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[2172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\jer6w8x2.exe[2172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\McTray.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3240] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00DD2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3240] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00DD2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3240] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00DD2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3240] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00DD2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[3248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01322EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01322C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01322C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\MSN Messenger\msnmsgr.exe[3272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01322C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3316] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009D2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3316] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009D2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3316] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009D2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3316] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009D2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[3460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[3460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[3460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\hkcmd.exe[3460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003A2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003A2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003A2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxpers.exe[3520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003A2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A62EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A62C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A62C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A62C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AC2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AC2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AC2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\igfxsrvc.exe[3632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AC2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F52EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F52C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F52C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dell\QuickSet\quickset.exe[3688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F52C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BA2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BA2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BA2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BA2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F92EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F92C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F92C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F92C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00EB2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00EB2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00EB2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00EB2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3912] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3912] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3912] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[3912] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[3940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501@001b52f99c19 0xD2 0x8E 0x05 0xBD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501@0036593195b7 0x2D 0xB0 0xA8 0x10 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641cda501@0017d5b64bea 0x79 0xB0 0x84 0x93 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501@001b52f99c19 0xD2 0x8E 0x05 0xBD ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501@0036593195b7 0x2D 0xB0 0xA8 0x10 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641cda501@0017d5b64bea 0x79 0xB0 0x84 0x93 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----


Step 5 - OTL.Txt

OTL logfile created on: 2/9/2009 1:37:55 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Alfred\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: d/M/yyyy

1014.12 Mb Total Physical Memory | 528.37 Mb Available Physical Memory | 52.10% Memory free
2.38 Gb Paging File | 2.00 Gb Available in Paging File | 83.82% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 47.81 Gb Free Space | 42.77% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WARRIOR2
Current User Name: Alfred
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (Intel® Corporation)
PRC - C:\WINDOWS\System32\brsvc01a.exe (brother Industries Ltd)
PRC - C:\WINDOWS\System32\brss01a.exe (brother Industries Ltd)
PRC - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\WINDOWS\System32\stacsv.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\System32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
PRC - C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Logitech Inc.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Network Associates\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel Corporation)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
PRC - C:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Alfred\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Brother XP spl Service [Auto | Running]) -- C:\WINDOWS\System32\brsvc01a.exe (brother Industries Ltd)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (EvtEng [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (LVPrcSrv [Auto | Running]) -- c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (Logitech Inc.)
SRV - (LVSrvLauncher [Auto | Stopped]) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (Logitech Inc.)
SRV - (McAfeeFramework [Auto | Running]) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (McShield [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (MSSQL$IWBDB [Auto | Running]) -- C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper [On_Demand | Stopped]) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (Microsoft Corporation)
SRV - (OracleOraHome92ClientCache [On_Demand | Stopped]) -- C:\oracle\ora92\BIN\ONRSD.EXE ()
SRV - (RegSrvc [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (S24EventMonitor [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (SQLAgent$IWBDB [On_Demand | Stopped]) -- C:\MSDE\Binn\MSSQL$IWBDB\Binn\sqlagent.EXE (Microsoft Corporation)
SRV - (STacSV [Auto | Running]) -- C:\WINDOWS\System32\stacsv.exe (SigmaTel, Inc.)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WLANKEEPER [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (Intel® Corporation)

========== Driver Services (SafeList) ==========

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (bcm4sbxp [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation)
DRV - (BrPar [Auto | Stopped]) -- C:\WINDOWS\System32\drivers\BrPar.sys (Brother Industries Ltd.)
DRV - (cercsr6 [Boot | Stopped]) -- C:\WINDOWS\System32\drivers\cercsr6.sys (Adaptec, Inc.)
DRV - (FilterService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\lvuvcflt.sys (Logitech Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys (Intel Corporation)
DRV - (LVcKap [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\LVcKap.sys ()
DRV - (LVMVDrv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\LVMVDrv.sys (Logitech Inc.)
DRV - (lvpopflt [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\lvpopflt.sys (Logitech Inc.)
DRV - (LVPr2Mon [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\LVPr2Mon.sys ()
DRV - (lvselsus [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\lvselsus.sys (Logitech Inc.)
DRV - (LVUSBSta [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (LVUVC [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\lvuvc.sys (Logitech Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mfeapfk [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [System | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (McAfee, Inc.)
DRV - (mfetdik [System | Running]) -- C:\WINDOWS\System32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (NETw4x32 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\NETw4x32.sys (Intel Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (rimmptsk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\rimmptsk.sys (REDC)
DRV - (rimsptsk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\rimsptsk.sys (REDC)
DRV - (rismxdp [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\rixdptsk.sys (REDC)
DRV - (s24trans [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\s24trans.sys (Intel Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (StillCam [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\serscan.sys (Microsoft Corporation)
DRV - (SynTP [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (tap0801 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tap0801.sys (The OpenVPN Project)
DRV - (usbaudio [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSX_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/ig
IE - URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (PE_IE_Helper Class) - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Workplace Forms\Viewer\2.7\PEhelper.dll (IBM Corporation)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.CPL (Microsoft Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Logitech Inc.)
O4 - HKLM..\Run: [masqform.exe] C:\Program Files\IBM\Workplace Forms\Viewer\2.7\masqform.exe (IBM Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\wshbth.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: iress.com.au ([xplan2] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.goo...0/uploader2.cab (UploadListView Class)
O16 - DPF: {53D40FAA-4E21-459F-AA87-E4D97FC3245A} https://secure.mwt.c.../2767/setup.exe (InstallShield Setup Player V12)
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} http://dl.google.com...PluginIEWin.cab (Google Gadget Control)
O16 - DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} https://secure.mwt.c.../2724/setup.exe (InstallShield Setup Player V11.5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...ows-i586-jc.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/octet-stream - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/05/29 12:49:57 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/02 13:04:28 | 00,190,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\schedsvc.dll
[2009/09/02 13:04:28 | 00,167,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\appmgmts.dll
[2009/09/02 13:04:28 | 00,142,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\aec.sys
[2009/09/02 13:04:28 | 00,134,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\shsvcs.dll
[2009/09/02 13:04:28 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\regsvc.dll
[2009/09/02 13:04:27 | 01,580,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfcfiles.dll
[2009/09/02 13:04:27 | 00,574,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntfs.sys
[2009/09/02 13:04:27 | 00,435,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntmssvc.dll
[2009/09/02 13:04:27 | 00,382,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\qmgr.dll
[2009/09/02 13:04:27 | 00,253,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\es.dll
[2009/09/02 13:04:27 | 00,249,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tapisrv.dll
[2009/09/02 13:04:27 | 00,245,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mswsock.dll
[2009/09/02 13:04:27 | 00,197,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netman.dll
[2009/09/02 13:04:27 | 00,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\upnphost.dll
[2009/09/02 13:04:27 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\scecli.dll
[2009/09/02 13:04:27 | 00,170,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\srsvc.dll
[2009/09/02 13:04:27 | 00,129,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\xmlprov.dll
[2009/09/02 13:04:27 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rasauto.dll
[2009/09/02 13:04:27 | 00,077,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\browser.dll
[2009/09/02 13:04:27 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ssdpsrv.dll
[2009/09/02 13:04:27 | 00,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\cryptsvc.dll
[2009/09/02 13:04:27 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\eventlog.dll
[2009/09/02 13:04:27 | 00,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\MsPMSNSv.dll
[2009/09/02 13:04:27 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\linkinfo.dll
[2009/09/02 13:04:27 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\asyncmac.sys
[2009/09/02 13:04:27 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wscntfy.exe
[2009/09/02 13:04:26 | 03,593,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mshtml.dll
[2009/09/02 13:04:26 | 01,033,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\explorer.exe
[2009/09/02 13:04:26 | 00,984,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kernel32.dll
[2009/09/02 13:04:26 | 00,927,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mfc40u.dll
[2009/09/02 13:04:26 | 00,792,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comres.dll
[2009/09/02 13:04:26 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comctl32.dll
[2009/09/02 13:04:26 | 00,407,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netlogon.dll
[2009/09/02 13:04:26 | 00,397,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rpcss.dll
[2009/09/02 13:04:26 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\termsrv.dll
[2009/09/02 13:04:26 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\imm32.dll
[2009/09/02 13:04:26 | 00,108,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\services.exe
[2009/09/02 13:04:26 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\spoolsv.exe
[2009/09/02 13:04:26 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wuauclt.exe
[2009/09/02 13:04:26 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\msgsvc.dll
[2009/09/02 13:04:26 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\userinit.exe
[2009/09/02 13:04:26 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kbdclass.sys
[2009/09/02 13:04:26 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lpk.dll
[2009/09/02 13:04:26 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\powrprof.dll
[2009/09/02 13:04:26 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ctfmon.exe
[2009/09/02 13:04:26 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lsass.exe
[2009/09/02 13:04:26 | 00,011,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\acpiec.sys
[2009/09/02 13:04:26 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfc.dll
[2009/09/02 13:04:26 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\beep.sys
[2009/09/02 13:04:26 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\null.sys
[2009/09/02 13:04:25 | 02,142,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntoskrnl.exe
[2009/09/02 13:04:25 | 02,020,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntkrnlpa.exe
[2009/09/02 13:04:25 | 00,826,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wininet.dll
[2009/09/02 13:04:25 | 00,577,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\user32.dll
[2009/09/02 13:04:25 | 00,502,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\winlogon.exe
[2009/09/02 13:04:25 | 00,360,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tcpip.sys
[2009/09/02 13:04:25 | 00,182,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ndis.sys
[2009/09/02 13:04:25 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ws2_32.dll
[2009/09/02 13:04:25 | 00,029,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ip6fw.sys
[2009/09/02 13:04:25 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\svchost.exe
[2009/09/02 13:04:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/09/02 12:53:50 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/09/02 12:53:48 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/09/02 12:53:43 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/02 12:51:00 | 00,229,376 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/02 12:51:00 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/02 12:51:00 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/02 12:51:00 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/02 12:51:00 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/02 12:51:00 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/02 12:51:00 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/02 12:51:00 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/02 12:50:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/02 12:33:33 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/02 12:32:18 | 03,189,342 | R--- | C] () -- C:\Documents and Settings\Alfred\Desktop\Combo-Fix.exe
[2009/09/02 12:17:35 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/09/02 12:14:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Desktop\avenger
[2009/09/02 12:13:23 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\avenger.zip
[2009/09/02 11:55:20 | 00,046,080 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\Win32kDiag.exe
[2009/09/02 11:51:58 | 00,085,504 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\Inherit.exe
[2009/09/02 11:33:07 | 00,000,000 | ---D | C] -- C:\Program Files\DVD Decrypter
[2009/09/02 11:16:21 | 00,000,000 | ---D | C] -- C:\Program Files\DVDx
[2009/09/02 11:15:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\My Documents\dvdrip
[2009/09/01 11:18:04 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Alfred\Desktop\OTL.exe
[2009/09/01 10:49:53 | 00,288,768 | ---- | C] () -- C:\jer6w8x2.exe
[2009/09/01 10:42:06 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\The system setup.doc
[2009/08/31 21:39:50 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/31 12:12:53 | 01,127,155 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\Wall Street Betrayal Seen in $4_8 Billion Company Debt Losses - Bloomberg_com.mht
[2009/08/30 13:34:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/08/30 13:34:27 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/08/30 12:43:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/08/30 12:42:06 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2009/08/30 12:42:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/08/30 09:03:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Desktop\Homemade-Pack-1
[2009/08/29 09:10:37 | 00,942,429 | ---- | C] (Aaron Murgatroyd ) -- C:\Documents and Settings\Alfred\Desktop\MiniXTLUsage1075.exe
[2009/08/28 17:30:37 | 00,005,274 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\Audio1.nra
[2009/08/28 14:48:00 | 06,356,654 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\()8F0D~1.MP3
[2009/08/28 14:47:59 | 03,167,327 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\-ECHO~1.MP3
[2009/08/28 14:43:53 | 31,616,884 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\wo nu.wav
[2009/08/28 14:33:30 | 24,345,168 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\wang shi.wav
[2009/08/28 14:30:54 | 40,925,448 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\qian.wav
[2009/08/28 14:17:57 | 26,007,936 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\wo zhi zhai.wav
[2009/08/27 08:37:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Desktop\Drunk Girl And Two Guys
[2009/08/27 08:30:44 | 75,673,765 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\2-Girl Jerkof.wmv
[2009/08/27 08:28:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Desktop\Torrent
[2009/08/27 01:23:02 | 13,832,836 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\emelia_fox_consuming_passions_v01.avi
[2009/08/24 13:05:55 | 03,006,464 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\Joey_Yung_-_My_Pride_(Cantonese).mp3
[2009/08/20 22:08:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Application Data\dvdcss
[2009/08/19 10:37:45 | 00,055,296 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\LAM Asic.doc
[2009/08/18 22:52:01 | 20,324,6432 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\Young Girls.rar
[2009/08/18 21:56:03 | 00,001,453 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\StoneCastle Advisors.lnk
[2009/08/17 09:17:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Desktop\Naughty Sierra
[2009/08/16 10:03:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Desktop\Perfect tits on beach
[2009/08/13 18:06:46 | 00,319,784 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\Singapore Airlines.mht
[2009/08/12 15:40:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Application Data\vlc
[2009/08/08 18:09:40 | 02,027,333 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\rw13[1].wma
[2009/08/08 18:06:19 | 02,022,847 | ---- | C] () -- C:\Documents and Settings\Alfred\Desktop\2BA1333A1281F417C6212D2CFA9F06D6DB07C7BB[1].wma
[2009/08/07 11:41:05 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Alfred\My Documents\Ludwig II was a hopeless dreamer who had a hard time with real life.doc
[2009/08/06 23:25:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Application Data\Media Player Classic
[2009/08/06 17:12:14 | 01,677,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chsbrkr.dll
[2009/08/06 17:12:14 | 01,677,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\chsbrkr.dll
[2009/08/06 17:12:13 | 01,158,818 | ---- | C] () -- C:\WINDOWS\System32\korwbrkr.lex
[2009/08/06 17:12:13 | 01,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2009/08/06 17:12:13 | 00,838,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtbrkr.dll
[2009/08/06 17:12:13 | 00,838,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\chtbrkr.dll
[2009/08/06 17:12:13 | 00,070,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\korwbrkr.dll
[2009/08/06 17:12:13 | 00,070,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\korwbrkr.dll
[2009/08/06 17:12:13 | 00,001,486 | ---- | C] () -- C:\WINDOWS\System32\noise.kor
[2009/08/06 17:12:12 | 01,875,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msir3jp.lex
[2009/08/06 17:12:12 | 01,875,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.lex
[2009/08/06 17:12:12 | 00,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msir3jp.dll
[2009/08/06 17:12:12 | 00,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.dll
[2009/08/06 17:12:12 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0404.dll
[2009/08/06 17:12:12 | 00,002,060 | ---- | C] () -- C:\WINDOWS\System32\noise.jpn
[2009/08/06 17:12:08 | 10,096,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxcht.dll
[2009/08/06 17:12:00 | 00,211,938 | ---- | C] () -- C:\WINDOWS\System32\lcphrase.tbl
[2009/08/06 17:12:00 | 00,146,126 | ---- | C] () -- C:\WINDOWS\System32\array30.tab
[2009/08/06 17:12:00 | 00,110,566 | ---- | C] () -- C:\WINDOWS\System32\arphr.tbl
[2009/08/06 17:12:00 | 00,024,114 | ---- | C] () -- C:\WINDOWS\System32\lcptr.tbl
[2009/08/06 17:12:00 | 00,018,600 | ---- | C] () -- C:\WINDOWS\System32\arrayhw.tab
[2009/08/06 17:12:00 | 00,016,312 | ---- | C] () -- C:\WINDOWS\System32\arptr.tbl
[2009/08/06 17:11:59 | 00,116,285 | ---- | C] () -- C:\WINDOWS\System32\msdayi.tbl
[2009/08/06 17:11:59 | 00,043,242 | ---- | C] () -- C:\WINDOWS\System32\phoncode.tbl
[2009/08/06 17:11:59 | 00,004,071 | ---- | C] () -- C:\WINDOWS\System32\phon.tbl
[2009/08/06 17:11:59 | 00,002,714 | ---- | C] () -- C:\WINDOWS\System32\phonptr.tbl
[2009/08/06 17:11:59 | 00,000,700 | ---- | C] () -- C:\WINDOWS\System32\dayiptr.tbl
[2009/08/06 17:11:59 | 00,000,520 | ---- | C] () -- C:\WINDOWS\System32\dayiphr.tbl
[2009/08/06 17:11:58 | 00,195,618 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10002.nls
[2009/08/06 17:11:58 | 00,195,618 | ---- | C] () -- C:\WINDOWS\System32\c_10002.nls
[2009/08/06 17:11:58 | 00,082,172 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bopomofo.nls
[2009/08/06 17:11:58 | 00,082,172 | ---- | C] () -- C:\WINDOWS\System32\bopomofo.nls
[2009/08/06 17:11:58 | 00,066,728 | ---- | C] () -- C:\WINDOWS\System32\dllcache\big5.nls
[2009/08/06 17:11:58 | 00,066,728 | ---- | C] () -- C:\WINDOWS\System32\big5.nls
[2009/08/06 17:11:58 | 00,044,370 | ---- | C] () -- C:\WINDOWS\System32\acode.tbl
[2009/08/06 17:11:58 | 00,044,370 | ---- | C] () -- C:\WINDOWS\System32\a234.tbl
[2009/08/06 17:11:58 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0804.dll
[2009/08/06 17:11:58 | 00,001,460 | ---- | C] () -- C:\WINDOWS\System32\a15.tbl
[2009/08/06 17:11:57 | 00,016,254 | ---- | C] () -- C:\WINDOWS\System32\PINTLPAE.HLP
[2009/08/06 17:11:57 | 00,014,821 | ---- | C] () -- C:\WINDOWS\System32\PINTLPAD.HLP
[2009/08/06 17:11:50 | 01,783,864 | ---- | C] () -- C:\WINDOWS\System32\WINPY.MB
[2009/08/06 17:11:50 | 01,564,868 | ---- | C] () -- C:\WINDOWS\System32\WINSP.MB
[2009/08/06 17:11:50 | 01,223,500 | ---- | C] () -- C:\WINDOWS\System32\WINZM.MB
[2009/08/06 17:11:49 | 00,218,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_g18030.dll
[2009/08/06 17:11:49 | 00,218,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\c_g18030.dll
[2009/08/06 17:11:49 | 00,173,602 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10008.nls
[2009/08/06 17:11:49 | 00,173,602 | ---- | C] () -- C:\WINDOWS\System32\c_10008.nls
[2009/08/06 17:11:49 | 00,083,748 | ---- | C] () -- C:\WINDOWS\System32\prcp.nls
[2009/08/06 17:11:49 | 00,083,748 | ---- | C] () -- C:\WINDOWS\System32\prc.nls
[2009/08/06 17:11:49 | 00,083,748 | ---- | C] () -- C:\WINDOWS\System32\dllcache\prcp.nls
[2009/08/06 17:11:49 | 00,083,748 | ---- | C] () -- C:\WINDOWS\System32\dllcache\prc.nls
[2009/08/06 17:11:49 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WINGB.IME
[2009/08/06 17:11:49 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wingb.ime
[2009/08/06 17:11:48 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs412.dll
[2009/08/06 17:11:48 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101a.dll
[2009/08/06 17:11:48 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101a.dll
[2009/08/06 17:11:44 | 10,129,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxkor.dll
[2009/08/06 17:11:44 | 00,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2009/08/06 17:11:43 | 00,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2009/08/06 17:11:43 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hanjadic.dll
[2009/08/06 17:11:42 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imkrinst.exe
[2009/08/06 17:11:42 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrmig.exe
[2009/08/06 17:11:41 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0412.dll
[2009/08/06 17:11:36 | 00,189,986 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_1361.nls
[2009/08/06 17:11:36 | 00,189,986 | ---- | C] () -- C:\WINDOWS\System32\c_1361.nls
[2009/08/06 17:11:36 | 00,177,698 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10003.nls
[2009/08/06 17:11:36 | 00,177,698 | ---- | C] () -- C:\WINDOWS\System32\c_10003.nls
[2009/08/06 17:11:35 | 00,311,359 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsv.exe
[2009/08/06 17:11:35 | 00,102,463 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsm.dll
[2009/08/06 17:11:35 | 00,047,066 | ---- | C] () -- C:\WINDOWS\System32\ksc.nls
[2009/08/06 17:11:35 | 00,047,066 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ksc.nls
[2009/08/06 17:11:35 | 00,036,927 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs411.dll
[2009/08/06 17:11:35 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0411.dll
[2009/08/06 17:11:34 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnecAT.dll
[2009/08/06 17:11:34 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecat.dll
[2009/08/06 17:11:34 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnecNT.dll
[2009/08/06 17:11:34 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecnt.dll
[2009/08/06 17:11:34 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnec95.dll
[2009/08/06 17:11:34 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdibm02.dll
[2009/08/06 17:11:34 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\f3ahvoas.dll
[2009/08/06 17:11:34 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnec95.dll
[2009/08/06 17:11:34 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdibm02.dll
[2009/08/06 17:11:34 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\f3ahvoas.dll
[2009/08/06 17:11:34 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlk41a.dll
[2009/08/06 17:11:34 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdlk41a.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlk41j.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdax2.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106n.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdlk41j.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdax2.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106n.dll
[2009/08/06 17:11:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101.dll
[2009/08/06 17:11:33 | 00,471,102 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskdic.dll
[2009/08/06 17:11:33 | 00,315,452 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskf.dll
[2009/08/06 17:11:33 | 00,229,439 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\multibox.dll
[2009/08/06 17:11:33 | 00,143,422 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\softkey.dll
[2009/08/06 17:11:30 | 13,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2009/08/06 17:11:18 | 00,057,398 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdadm.exe
[2009/08/06 17:11:18 | 00,045,109 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpuex.exe
[2009/08/06 17:11:14 | 00,180,770 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_20932.nls
[2009/08/06 17:11:14 | 00,180,770 | ---- | C] () -- C:\WINDOWS\System32\c_20932.nls
[2009/08/06 17:11:14 | 00,180,258 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_20000.nls
[2009/08/06 17:11:14 | 00,180,258 | ---- | C] () -- C:\WINDOWS\System32\c_20000.nls
[2009/08/06 17:11:14 | 00,177,698 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_20949.nls
[2009/08/06 17:11:14 | 00,177,698 | ---- | C] () -- C:\WINDOWS\System32\c_20949.nls
[2009/08/06 17:11:14 | 00,173,602 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_20936.nls
[2009/08/06 17:11:14 | 00,173,602 | ---- | C] () -- C:\WINDOWS\System32\c_20936.nls
[2009/08/06 17:11:14 | 00,162,850 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_10001.nls
[2009/08/06 17:11:14 | 00,162,850 | ---- | C] () -- C:\WINDOWS\System32\c_10001.nls
[2009/08/06 17:11:14 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_21027.nls
[2009/08/06 17:11:14 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\dllcache\c_20290.nls
[2009/08/06 17:11:14 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_21027.nls
[2009/08/06 17:11:14 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_20290.nls
[2009/08/06 17:11:14 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_is2022.dll
[2009/08/06 17:11:14 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\c_is2022.dll
[2009/08/06 17:11:13 | 00,028,288 | ---- | C] () -- C:\WINDOWS\System32\xjis.nls
[2009/08/06 17:11:13 | 00,028,288 | ---- | C] () -- C:\WINDOWS\System32\dllcache\xjis.nls
[2009/08/06 17:11:06 | 00,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\miniime.tpl
[2009/08/06 16:52:23 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdjpn.dll
[2009/08/06 16:52:23 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdjpn.dll
[2009/08/06 16:52:23 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkor.dll
[2009/08/06 16:52:23 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdkor.dll
[2009/08/06 16:52:22 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106.dll
[2009/08/06 16:52:22 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101c.dll
[2009/08/06 16:52:22 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106.dll
[2009/08/06 16:52:22 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101c.dll
[2009/08/06 16:52:22 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd103.dll
[2009/08/06 16:52:22 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd103.dll
[2009/08/06 16:52:19 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101b.dll
[2009/08/06 16:52:19 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101b.dll
[2009/08/05 23:35:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alfred\Desktop\youtube
[2009/01/30 12:45:05 | 00,004,599 | ---- | C] () -- C:\WINDOWS\SigPlus.ini
[2008/10/29 09:46:21 | 00,000,094 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2008/10/29 09:46:20 | 00,000,228 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2008/10/29 09:45:46 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
[2008/10/29 09:45:45 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2008/10/29 09:45:06 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2008/10/29 09:43:08 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/03/20 15:54:38 | 00,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/01/23 22:09:59 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2007/06/19 16:46:19 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_1430.ini
[2007/06/19 16:46:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\BROHL143.INI
[2007/06/19 16:46:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/06/19 16:46:18 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2007/06/19 16:46:18 | 00,000,012 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2007/06/19 16:46:14 | 00,000,012 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/06/19 16:46:09 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\BRSS01A.ini
[2007/06/18 21:56:54 | 00,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/06/06 14:07:27 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/06/06 14:07:27 | 00,593,920 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/06/06 14:07:27 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/06/06 14:07:26 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/06/06 14:07:26 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/06/04 13:48:17 | 00,000,463 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/06/04 11:14:46 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/29 13:14:53 | 00,051,370 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/05/29 13:08:22 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/05/29 13:01:44 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2007/02/13 10:42:28 | 00,025,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2007/02/13 10:39:54 | 01,691,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys
[2004/08/04 20:00:00 | 00,000,624 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 20:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/03/04 10:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== Files - Modified Within 30 Days ==========

[2009/09/02 13:25:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/02 13:25:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/02 13:24:34 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/09/02 13:24:34 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/09/02 13:24:31 | 00,000,624 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/02 13:24:31 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/09/02 13:24:31 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/02 13:22:31 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2009/09/02 13:01:20 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/02 12:48:23 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/09/02 12:45:54 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/09/02 12:45:54 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/09/02 12:36:07 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/09/02 12:36:07 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/09/02 12:32:18 | 03,189,342 | R--- | M] () -- C:\Documents and Settings\Alfred\Desktop\Combo-Fix.exe
[2009/09/02 12:21:02 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/09/02 12:21:02 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/09/02 12:19:44 | 00,000,229 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/02 12:16:47 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/09/02 12:16:47 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/09/02 12:13:24 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\avenger.zip
[2009/09/02 12:10:00 | 00,000,463 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2009/09/02 11:55:21 | 00,046,080 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\Win32kDiag.exe
[2009/09/02 11:52:40 | 00,151,040 | ---- | M] () -- C:\Documents and Settings\Alfred\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/02 11:52:10 | 00,085,504 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\Inherit.exe
[2009/09/02 11:49:37 | 00,001,768 | -H-- | M] () -- C:\Documents and Settings\Alfred\My Documents\Default.rdp
[2009/09/02 08:11:12 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/09/02 08:11:12 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/09/02 02:13:45 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/09/02 02:13:45 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/09/01 19:31:01 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/09/01 19:31:01 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/09/01 14:19:03 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/09/01 14:19:03 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/09/01 14:18:42 | 00,000,692 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\ImageGrab.ini
[2009/09/01 11:24:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/09/01 11:24:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/09/01 11:18:07 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alfred\Desktop\OTL.exe
[2009/09/01 11:14:12 | 00,068,728 | ---- | M] () -- C:\Documents and Settings\Alfred\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/01 10:49:54 | 00,288,768 | ---- | M] () -- C:\jer6w8x2.exe
[2009/09/01 10:42:07 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\The system setup.doc
[2009/09/01 08:22:47 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/09/01 08:22:47 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/09/01 01:30:15 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/09/01 01:30:15 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/08/31 21:53:33 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\Password.xls
[2009/08/31 18:31:50 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/08/31 18:31:50 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/08/31 12:13:01 | 01,127,155 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\Wall Street Betrayal Seen in $4_8 Billion Company Debt Losses - Bloomberg_com.mht
[2009/08/31 08:18:20 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/08/31 08:18:20 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/08/31 00:14:09 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/08/31 00:14:08 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/08/30 13:37:58 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/08/30 13:37:58 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/08/30 12:46:03 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/08/30 12:46:03 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009/08/30 12:22:12 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/08/30 12:22:12 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/08/30 09:22:42 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/08/30 09:22:42 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/08/30 04:11:49 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/08/30 04:11:49 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/08/29 09:10:37 | 00,942,429 | ---- | M] (Aaron Murgatroyd ) -- C:\Documents and Settings\Alfred\Desktop\MiniXTLUsage1075.exe
[2009/08/28 17:30:37 | 00,005,274 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\Audio1.nra
[2009/08/28 14:43:56 | 31,616,884 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\wo nu.wav
[2009/08/28 14:33:33 | 24,345,168 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\wang shi.wav
[2009/08/28 14:30:59 | 40,925,448 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\qian.wav
[2009/08/28 14:18:01 | 26,007,936 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\wo zhi zhai.wav
[2009/08/27 02:24:18 | 75,673,765 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\2-Girl Jerkof.wmv
[2009/08/27 01:23:03 | 13,832,836 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\emelia_fox_consuming_passions_v01.avi
[2009/08/24 19:12:11 | 03,006,464 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\Joey_Yung_-_My_Pride_(Cantonese).mp3
[2009/08/23 11:44:15 | 03,167,327 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\-ECHO~1.MP3
[2009/08/23 09:54:19 | 06,356,654 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\()8F0D~1.MP3
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/08/19 17:41:21 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\new movies.xls
[2009/08/19 10:45:16 | 00,055,296 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\LAM Asic.doc
[2009/08/18 21:57:39 | 00,001,453 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\StoneCastle Advisors.lnk
[2009/08/18 09:48:58 | 20,324,6432 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\Young Girls.rar
[2009/08/13 18:06:55 | 00,319,784 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\Singapore Airlines.mht
[2009/08/08 17:46:55 | 02,027,333 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\rw13[1].wma
[2009/08/08 17:40:36 | 02,022,847 | ---- | M] () -- C:\Documents and Settings\Alfred\Desktop\2BA1333A1281F417C6212D2CFA9F06D6DB07C7BB[1].wma
[2009/08/07 15:12:06 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Alfred\My Documents\Ludwig II was a hopeless dreamer who had a hard time with real life.doc
[2009/08/07 12:03:11 | 00,068,728 | ---- | M] () -- C:\Documents and Settings\Alfred\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/06 22:58:29 | 00,242,328 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2009/08/20 22:08:27 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Alfred\Application Data
[2009/08/28 14:11:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\Ahead
[2007/06/04 13:48:30 | 00,000,000 | R--D | M] -- C:\Documents and Settings\Alfred\Application Data\Brother
[2007/05/29 13:10:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\Dell
[2009/08/20 22:13:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\dvdcss
[2007/05/29 13:24:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\Intel
[2008/02/13 21:40:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\NCH Swift Sound
[2008/07/06 09:52:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\Nuance
[2009/01/30 12:44:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\PureEdge
[2008/11/20 15:46:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\ScanSoft
[2009/02/05 12:15:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alfred\Application Data\XWord
[2009/08/30 12:43:01 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/07/24 14:46:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{53608B89-D534-4FA6-B348-02EF7D3C693C}
[2008/01/17 22:50:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2008/10/29 09:41:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Brother
[2007/05/29 13:24:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intel
[2007/05/29 13:14:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Logishrd
[2008/02/13 21:42:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2007/06/04 12:21:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2008/07/06 09:44:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2009/01/30 12:44:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PureEdge
[2008/07/06 09:44:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/08/30 12:43:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/08/30 12:43:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2004/08/04 20:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/09/02 13:25:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >

Step 5 - Extras.Txt

OTL Extras logfile created on: 2/9/2009 1:37:55 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Alfred\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: d/M/yyyy

1014.12 Mb Total Physical Memory | 528.37 Mb Available Physical Memory | 52.10% Memory free
2.38 Gb Paging File | 2.00 Gb Available in Paging File | 83.82% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 47.81 Gb Free Space | 42.77% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WARRIOR2
Current User Name: Alfred
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" = C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)
"C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe" = C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe:*:Disabled:Nero ShowTime -- (Nero AG)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Brother\ControlCenter2\brctrcen.exe" = C:\Program Files\Brother\ControlCenter2\brctrcen.exe:LocalSubNet:Enabled:brctrcen.exe -- (Brother Industries, Ltd.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{9211CCBB-BEFE-4A0C-9199-D7A535DBFE5F}" = Brother MFL-Pro Suite
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9932886E-7874-4BA1-A1AA-E61EA5A9352D}" = Logitech QuickCam
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AA3A9B0F-645B-49BD-B118-5C3D76835F05}" = AMP Illustrations Notication
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{BEF726DD-4037-4214-8C6A-E625C02D2870}" = Logitech Audio Echo Cancellation Component
"{BF1B7AE9-A0AE-45B4-9D2A-A50CDAD5AD1D}" = AMP easylodge Client
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{D4E01931-9B3F-49BD-B19B-511000A1E039}" = Samsung PC Studio II 2.0 PIMS & File Manager
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}" = Dragon NaturallySpeaking 9
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (IWBDB)
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EA516024-D84D-41F1-814F-83175A6188F2}" = Logitech Video Enumerator
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FB3BE405-6BF0-490A-84B3-00611385EA0D}" = Common-Use Signing Interface
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"3635FC5A3FE7DACCEF2123BDBDA808BA811B977B" = Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
"452416B030C25BAA383F3DA368FECD5D48FAE727" = Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"C2B1D8EA078A4E96218930E83D0EAC2D29D31968" = Windows Driver Package - Broadcom Bluetooth (02/24/2004 5.1.2535.0)
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Common-Use Signing Interface" = Common-Use Signing Interface
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVDx 2.2_is1" = DVDx 2.2
"F631A62FA5E06534A0FE3637D75AAA5B1D3E4FB7" = Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.1.5 Full
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Nero - Burning Rom!UninstallKey" = Nero 6
"NeroVision!UninstallKey" = Nero Digital
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PocketXMLRPC" = PocketXMLRPC For Windows v1.2.1 (remove only)
"ProInst" = Intel® PROSet/Wireless Software
"QcDrv" = Logitech® Camera Driver
"QuicktimeAlt_is1" = QuickTime Alternative 1.81
"Samsung Mobile USB Modem" = Samsung Mobile USB Modem Software
"Second Copy 2000" = Second Copy 2000
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Topaz e-Signatures SigPlus 3.74" = Topaz e-Signatures SigPlus 3.74
"Topaz MS Office Plug-In 1.9" = Topaz MS Office Plug-In 1.9
"VLC media player" = VLC media player 1.0.1
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"31a65feb4d086de5" = AMP Illustrations plus
"3bdf393e4bbf0eae" = AMP Illustrations plus - 2
"bd730df1bf8a8f7e" = AMP Illustrations plus - 1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/9/2009 5:31:28 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 8:08:06 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 10:18:13 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 10:22:23 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 10:37:34 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 10:47:16 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 11:01:02 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 11:16:12 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 11:22:49 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

Error - 1/9/2009 11:25:59 PM | Computer Name = WARRIOR2 | Source = STacSV | ID = 268435455
Description =

[ System Events ]
Error - 1/9/2009 11:17:36 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 f69c2f07, parameter3
f7a19c40, parameter4 f7a1993c.

Error - 1/9/2009 11:17:40 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 00000000, parameter2 0000001c, parameter3
00000000, parameter4 804f8a3b.

Error - 1/9/2009 11:17:42 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 0065006d, parameter2 0000001c, parameter3
00000000, parameter4 804f8a3b.

Error - 1/9/2009 11:17:43 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 100000ce, parameter1 a80ab82a, parameter2 00000008, parameter3
a80ab82a, parameter4 00000000.

Error - 1/9/2009 11:17:45 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 0000004e, parameter1 00000007, parameter2 000307a3, parameter3
00000001, parameter4 00000000.

Error - 1/9/2009 11:17:47 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 0000004e, parameter1 00000007, parameter2 00036a34, parameter3
00000001, parameter4 00000000.

Error - 1/9/2009 11:23:00 PM | Computer Name = WARRIOR2 | Source = Service Control Manager | ID = 7002
Description = The BrPar service depends on the Parallel arbitrator group and no
member of this group started.

Error - 1/9/2009 11:23:46 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 10000050, parameter1 e2c29000, parameter2 00000000, parameter3
8052b7fc, parameter4 00000001.

Error - 1/9/2009 11:26:10 PM | Computer Name = WARRIOR2 | Source = Service Control Manager | ID = 7002
Description = The BrPar service depends on the Parallel arbitrator group and no
member of this group started.

Error - 1/9/2009 11:27:02 PM | Computer Name = WARRIOR2 | Source = System Error | ID = 1003
Description = Error code 10000050, parameter1 e2c29000, parameter2 00000000, parameter3
8052b7fc, parameter4 00000001.


< End of report >
  • 0

#9
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
Excellent work stoneman :) That did exactly what it was supposed to. Let me write up a fix, and you'll get your next instructions once I get them approved .
  • 0

#10
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
Alright. Here you go:


Quick heads-up before you before we continue:

I see you're using or have in the past used p2p software such as uTorrent and LimeWire or download a lot of files off the internet. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them and the files that are typically shared over these networks. Even if the program is clean, people often upload infected files to be shared using these programs, and it is very easy to end up compromising your PC.

It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and I'll still give you help if you want to keep them. It's just important that you're aware of the risks. If you want to continue using p2p programs that's fine with me, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here. To remove p2p programs if you wish to do so, uninstall them from the Add/Remove Programs (it's Programs and Features in Vista) menu of your Control Panel.


STEP 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\System32\Jpeg32.dll
C:\WINDOWS\PEV.exe

Folder::

Registry::

Driver::

Domains::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

STEP 2

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then choose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#11
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Hi Neofx, I've encountered a problem with step 1. Upon dragging the CFScript.txt to ComboFix.exe, it says there is a new version of ComboFix and asked if I want to update it. I choose 'No' and the program starts and says something like 'PEV.exe is not part and will not be process'? The program will continue to the end and produce a report. The report is as follows. I didn't do step 2 yet as I would like your OK first.

Also, I think i got the malware from browsing torrent sites because there is no P2P program on this computer. I download the link and download files using another computer. I think I'll browse using that play computer as well.

Step 1 - ComboFix.txt

ComboFix 09-09-01.04 - Alfred 03/09/2009 11:29.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.590 [GMT 10:00]
Running from: c:\documents and settings\Alfred\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Alfred\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-02 01:33 . 2009-09-02 01:33 -------- d-----w- c:\program files\DVD Decrypter
2009-09-02 01:16 . 2009-09-02 01:16 -------- d-----w- c:\program files\DVDx
2009-09-01 00:49 . 2009-09-01 00:49 288768 ----a-w- C:\jer6w8x2.exe
2009-08-31 11:39 . 2009-08-31 11:39 -------- d-----w- c:\program files\Trend Micro
2009-08-30 03:34 . 2009-09-02 01:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-30 02:43 . 2009-08-30 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-30 02:42 . 2009-08-30 02:42 -------- d-----w- c:\program files\Common Files\iS3
2009-08-30 02:42 . 2009-08-30 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-20 12:08 . 2009-09-02 10:38 -------- d-----w- c:\documents and settings\Alfred\Application Data\dvdcss
2009-08-12 05:40 . 2009-09-02 13:14 -------- d-----w- c:\documents and settings\Alfred\Application Data\vlc
2009-08-06 13:25 . 2009-08-06 13:25 -------- d-----w- c:\documents and settings\Alfred\Application Data\Media Player Classic
2009-08-06 07:12 . 2001-08-23 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-08-06 07:12 . 2001-08-23 12:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2009-08-06 07:12 . 2001-08-23 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0404.dll
2009-08-06 07:12 . 2001-08-23 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-08-06 06:52 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-08-06 06:52 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-08-06 06:52 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-08-06 06:52 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-08-06 06:52 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-08-06 06:52 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 00:34 . 2007-05-29 03:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-01 01:14 . 2007-06-04 02:31 68728 ----a-w- c:\documents and settings\Alfred\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 04:11 . 2007-06-18 11:57 -------- d-----w- c:\documents and settings\Alfred\Application Data\Ahead
.

((((((((((((((((((((((((((((( SnapShot@2009-09-02_03.02.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 00:34 . 2009-09-03 00:34 16384 c:\windows\Temp\Perflib_Perfdata_4b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-13 488984]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 255528]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"masqform.exe"="c:\program files\IBM\Workplace Forms\Viewer\2.7\masqform.exe" [2007-03-19 946176]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AMP Illustrations plus Update Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AMP Illustrations plus Update Manager.lnk
backup=c:\windows\pss\AMP Illustrations plus Update Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 MSSQL$IWBDB;MSSQL$IWBDB;c:\msde\Binn\MSSQL$IWBDB\Binn\sqlservr.exe -sIWBDB --> c:\msde\Binn\MSSQL$IWBDB\Binn\sqlservr.exe -sIWBDB [?]
S3 SQLAgent$IWBDB;SQLAgent$IWBDB;c:\msde\Binn\MSSQL$IWBDB\Binn\sqlagent.EXE -i IWBDB --> c:\msde\Binn\MSSQL$IWBDB\Binn\sqlagent.EXE -i IWBDB [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [1/10/2006 10:37 PM 26624]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: iress.com.au\xplan2
DPF: {53D40FAA-4E21-459F-AA87-E4D97FC3245A} - hxxps://secure.mwt.com.au/installations/full/2767/setup.exe
DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab
DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} - hxxps://secure.mwt.com.au/installations/full/2724/setup.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 11:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-03 11:35
ComboFix-quarantined-files.txt 2009-09-03 01:35
ComboFix2.txt 2009-09-02 03:05

Pre-Run: 57,153,155,072 bytes free
Post-Run: 57,157,390,336 bytes free

135 --- E O F --- 2008-12-18 07:06
  • 0

#12
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
That's alright stoneman. Please try it again selecting "Yes" to the update. If you get the error once more, go ahead with step 2.
  • 0

#13
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Hi Neofx, Step 1 has the same error saying something like 'PEV.exe is part of Combofix. Script will not be process' Anyway, the program just continue to the end.

Step 1 - ComboFix.txt

ComboFix 09-09-02.02 - Alfred 03/09/2009 14:29.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.592 [GMT 10:00]
Running from: c:\documents and settings\Alfred\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Alfred\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-02 01:33 . 2009-09-02 01:33 -------- d-----w- c:\program files\DVD Decrypter
2009-09-02 01:16 . 2009-09-02 01:16 -------- d-----w- c:\program files\DVDx
2009-09-01 00:49 . 2009-09-01 00:49 288768 ----a-w- C:\jer6w8x2.exe
2009-08-31 11:39 . 2009-08-31 11:39 -------- d-----w- c:\program files\Trend Micro
2009-08-30 03:34 . 2009-09-02 01:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-30 02:43 . 2009-08-30 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-30 02:42 . 2009-08-30 02:42 -------- d-----w- c:\program files\Common Files\iS3
2009-08-30 02:42 . 2009-08-30 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-20 12:08 . 2009-09-02 10:38 -------- d-----w- c:\documents and settings\Alfred\Application Data\dvdcss
2009-08-12 05:40 . 2009-09-02 13:14 -------- d-----w- c:\documents and settings\Alfred\Application Data\vlc
2009-08-06 13:25 . 2009-08-06 13:25 -------- d-----w- c:\documents and settings\Alfred\Application Data\Media Player Classic
2009-08-06 07:12 . 2001-08-23 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2009-08-06 07:12 . 2001-08-23 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-08-06 07:12 . 2001-08-23 12:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2009-08-06 07:12 . 2001-08-23 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0404.dll
2009-08-06 07:12 . 2001-08-23 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-08-06 06:52 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-08-06 06:52 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-08-06 06:52 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-08-06 06:52 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-08-06 06:52 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-08-06 06:52 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-08-06 06:52 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 00:34 . 2007-05-29 03:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-01 01:14 . 2007-06-04 02:31 68728 ----a-w- c:\documents and settings\Alfred\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 04:11 . 2007-06-18 11:57 -------- d-----w- c:\documents and settings\Alfred\Application Data\Ahead
.

((((((((((((((((((((((((((((( SnapShot@2009-09-02_03.02.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 00:34 . 2009-09-03 00:34 16384 c:\windows\Temp\Perflib_Perfdata_4b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-13 488984]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 255528]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"masqform.exe"="c:\program files\IBM\Workplace Forms\Viewer\2.7\masqform.exe" [2007-03-19 946176]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AMP Illustrations plus Update Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AMP Illustrations plus Update Manager.lnk
backup=c:\windows\pss\AMP Illustrations plus Update Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 MSSQL$IWBDB;MSSQL$IWBDB;c:\msde\Binn\MSSQL$IWBDB\Binn\sqlservr.exe -sIWBDB --> c:\msde\Binn\MSSQL$IWBDB\Binn\sqlservr.exe -sIWBDB [?]
S3 SQLAgent$IWBDB;SQLAgent$IWBDB;c:\msde\Binn\MSSQL$IWBDB\Binn\sqlagent.EXE -i IWBDB --> c:\msde\Binn\MSSQL$IWBDB\Binn\sqlagent.EXE -i IWBDB [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [1/10/2006 10:37 PM 26624]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: iress.com.au\xplan2
DPF: {53D40FAA-4E21-459F-AA87-E4D97FC3245A} - hxxps://secure.mwt.com.au/installations/full/2767/setup.exe
DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab
DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} - hxxps://secure.mwt.com.au/installations/full/2724/setup.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 14:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-03 14:34
ComboFix-quarantined-files.txt 2009-09-03 04:34
ComboFix2.txt 2009-09-03 01:35
ComboFix3.txt 2009-09-02 03:05

Pre-Run: 57,161,097,216 bytes free
Post-Run: 57,163,390,976 bytes free

136 --- E O F --- 2008-12-18 07:06


Step 2 - Kas.txt

Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Alfred\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-43a12430/vlocal.class
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Alfred\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-6bcc77ef/vlocal.class
deleted: Trojan program Packed.Win32.PECompact (modification) File: C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Backdoor.Win32.Agent.akmn File: C:\System Volume Information\_restore{584991F3-3FD5-4B8B-A316-6FC2B5EF9F8F}\RP517\A0107882.dll
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Alfred\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-6bcc77ef
  • 0

#14
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
Alright, let's do one last thing.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Services
    
    :Reg
    
    :Files
    C:\WINDOWS\System32\Jpeg32.dll
    C:\Documents and Settings\Alfred\Application Data\Sun\Java\Deployment\cache\*.* /s
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

And... We're ready to clean up! :)

Let's cleanup.

STEP 1

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


STEP 2
To clean up OldTimer's tools, along with a few others, do the following:

  • Run OTL.exe by double clicking on it
  • Click on the "CleanUp" button on the top.
  • You will be asked if you wish to reboot your system, select "Yes"


STEP 3

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.


All Clean

Congratulations!, Posted Image, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates


Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlockList Pro's HOSTS Manager HERE

  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE
Quick Summary: It will give you complete control over everything that happens in the background while Windows runs, giving you the option to approve or deny any changes to the registry.

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this.

Read further information HERE on how to prevent Malware infections and keep yourself clean.
  • 0

#15
stoneman4172

stoneman4172

    Member

  • Member
  • PipPip
  • 13 posts
Thank you very much Neonfx! I will definately do as you suggested. What do I do with this thread now?
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured