Website redirection & New tab Pop Ups [Closed]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Website redirection & New tab Pop Ups [Closed] help with malware removal and possible trojan/viruses

#1 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 12 December 2009 - 03:15 PM

Hey guys,

Thanks for all the information you have provided. I went through all of the steps in the removal guide posted but I am still running into some issues.

My browser of preference is Firefox. I have been running into an issue where a New tab will just sporadically open itself. There are one of two out comes for this. A) It is a false "Breaking News" page, which I can just close, but I can't stop this from happening. Or B) I have a page that opens up named "Windows Security" which tells me I have a virus and need to download their program. If this second one pops up I have to Crtl-Alt-Delete and close my entire browser down to get away from the page.

I have used the following Malware removal and detection programs: Malwarebytes, Adaware, Spybot S&D, McAfee Virus Scanner, & CCleaner.

Below is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:21 PM, on 12/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1688654905-1888422568-617639642-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Ctx_StreamingSvc')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178813950515
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: huloseger - {6fb0d2c2-bb14-4496-a999-f8f24f158d8d} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {6fb0d2c2-bb14-4496-a999-f8f24f158d8d} - (no file)
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe (file missing)
O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Citrix Streaming Service (RadeSvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\Streaming Client\RadeSvc.exe

--
End of file - 10767 bytes

Thank you in advance for your help. Your time and dedication is very much appreciated for us troglodytes that aren't as equipped

#2 hammerman

Group: Member
Posts: 4,183
Joined: 28-November 08

Posted 13 December 2009 - 06:04 AM

Hello Alistair1982 and welcome to GeeksToGo

I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
Please do no attach logs or post them in Quote/Code boxes unless requested.
When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
If in doubt about anything, please ask.

Please post your Malwarebytes log.

Please follow these steps.

-- Step 1 --

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Custom Scan box paste this in

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
nvstor32.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#3 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 13 December 2009 - 11:23 AM

Thank you for the fast reply. Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.42
Database version: 3350
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/12/2009 11:01:23 AM
mbam-log-2009-12-12 (11-01-23).txt

Scan type: Quick Scan
Objects scanned: 123926
Time elapsed: 15 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wklcvkxp (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wklcvkxp (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nanulote.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

#4 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 13 December 2009 - 11:25 AM

Here is the OLT report:

OTL logfile created on: 12/13/2009 9:13:57 AM - Run 2
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Ali\Desktop\Anti Malware Programs
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.20 Gb Available Physical Memory | 60.24% Memory free
3.33 Gb Paging File | 2.64 Gb Available in Paging File | 79.45% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 96.91 Gb Total Space | 45.24 Gb Free Space | 46.68% Space Free | Partition Type: NTFS
Drive D: | 13.86 Gb Total Space | 1.02 Gb Free Space | 7.38% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 580.61 Gb Total Space | 196.82 Gb Free Space | 33.90% Space Free | Partition Type: NTFS

Computer Name: SILVERSTREAK
Current User Name: Ali
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Ali\Desktop\Anti Malware Programs\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Citrix\Streaming Client\RadeSvc.exe (Citrix Systems, Inc.)
PRC - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe (Citrix Systems, Inc.)
PRC - C:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
PRC - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\HPQ\Shared\HpqToaster.exe ()
PRC - C:\WINDOWS\ehome\RMSvc.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ehome\RMSysTry.exe (Microsoft Corporation)
PRC - C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hp\hpcoretech\comp\hptskmgr.exe (Hewlett-Packard Company)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Ali\Desktop\Anti Malware Programs\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apache2.2) -- File not found
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (ZuneWlanCfgSvc) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- C:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (MBackMonitor) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (GoToMyPC) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (RadeSvc) -- C:\Program Files\Citrix\Streaming Client\RadeSvc.exe (Citrix Systems, Inc.)
SRV - (CdfSvc) -- C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe (Citrix Systems, Inc.)
SRV - (MSMQTriggers) -- C:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
SRV - (MSMQ) -- C:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (hpqwmiex) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)
SRV - (LightScribeService) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (RMSvc) -- C:\WINDOWS\ehome\RMSvc.exe (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (zumbus) -- C:\WINDOWS\system32\drivers\zumbus.sys (Microsoft Corporation)
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (NETw5x32) Intel® -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (CtxSbx) -- C:\WINDOWS\system32\drivers\CtxSbx.sys (Citrix Systems, Inc.)
DRV - (ctxpidmn) -- C:\WINDOWS\system32\drivers\ctxpidmn.sys (Citrix Systems, Inc.)
DRV - (adfs) -- C:\WINDOWS\system32\drivers\adfs.sys (Adobe Systems, Inc.)
DRV - (cdfdrv) -- C:\WINDOWS\system32\drivers\cdfdrv.sys (Citrix Systems, Inc.)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (AegisP) AEGIS Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\AegisP.sys (Meetinghouse Data Communications)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (Point32) -- C:\WINDOWS\system32\drivers\point32.sys (Microsoft Corporation)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\CHDAud.sys (Conexant Systems Inc.)
DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (E100B) Intel® -- C:\WINDOWS\system32\drivers\e100b325.sys (Intel Corporation)
DRV - (iaStor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (HPZid412) -- C:\WINDOWS\system32\drivers\HPZid412.sys (HP)
DRV - (HPZius12) -- C:\WINDOWS\system32\drivers\HPZius12.sys (HP)
DRV - (HPZipr12) -- C:\WINDOWS\system32\drivers\HPZipr12.sys (HP)
DRV - (DNINDIS5) -- C:\WINDOWS\system32\DNINDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.4

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/11 12:12:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/11 12:12:31 | 00,000,000 | ---D | M]

[2009/12/11 12:12:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Mozilla\Extensions
[2009/06/24 19:24:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/12/12 13:03:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\m13k1mau.default\extensions
[2009/12/11 12:14:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\m13k1mau.default\extensions\personas@christopher.beard
[2009/12/12 13:03:14 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/08/16 17:42:02 | 00,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2008/08/16 17:42:12 | 00,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2008/08/16 17:42:08 | 00,020,800 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2008/05/21 08:41:08 | 00,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2008/05/21 08:41:08 | 00,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2008/05/21 08:41:08 | 00,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2008/08/16 17:44:46 | 00,427,312 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2008/08/16 20:00:06 | 00,030,528 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\nprade.dll
[2008/08/16 17:42:04 | 00,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: (362846 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 12472 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1178813950515 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.0.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\Hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToMyPC: DllName - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: huloseger - {6fb0d2c2-bb14-4496-a999-f8f24f158d8d} - CLSID or File not found.
O22 - SharedTaskScheduler: {6fb0d2c2-bb14-4496-a999-f8f24f158d8d} - kupuhivus - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 23:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 15:01:14 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/11/06 12:04:23 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: GrooveMonitor - hkey= - key= - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
MsConfig - StartUpReg: hoyuwubom - hkey= - key= - File not found
MsConfig - StartUpReg: QPService - hkey= - key= - C:\Program Files\HP\QuickPlay\QPService.exe (CyberLink Corp.)
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: MpfService - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1452AAA6-E26E-E58F-1DC2-44A63ED0A734} - Internet Explorer
ActiveX: {1BC46932-21B2-4130-86E0-B4EB4F7A7A7B} - Microsoft .NET Framework 1.0 Hotfix (KB887998)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {BDE0FA43-6952-4BA8-8C58-09AF690F88E1} - Microsoft .NET Framework 1.0 Hotfix (KB930494)
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EA29D410-CE41-4953-A862-2DE706A1DAD7} - Microsoft .NET Framework 1.0 Service Pack 3
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: KB910393 - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (52920744480342016)

========== Files/Folders - Created Within 30 Days ==========

[2009/12/12 12:09:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Local Settings\Application Data\Blizzard Entertainment
[2009/12/12 11:46:25 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Ali\Recent
[2009/12/12 11:36:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Local Settings\Application Data\Apple
[2009/12/12 11:29:16 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/12 11:18:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Desktop\Anti Malware Programs
[2009/12/12 10:04:37 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/12 10:04:35 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/12 10:04:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/12 10:04:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/12 10:03:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/12 09:17:04 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/12/12 09:13:12 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/12 08:26:50 | 00,000,000 | ---D | C] -- C:\Program Files\NetWaiting
[2009/12/12 08:14:27 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/12 08:14:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/12/12 07:57:48 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/12/12 07:56:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Local Settings\Application Data\PCHealth
[2009/12/05 22:41:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\My Documents\Heroes of Might and Magic III Complete
[2009/12/05 22:15:53 | 00,000,000 | ---D | C] -- C:\Program Files\EA GAMES
[2009/12/05 22:14:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Application Data\Participatory Culture Foundation
[2009/12/05 22:12:12 | 00,000,000 | ---D | C] -- C:\Program Files\Participatory Culture Foundation
[2009/12/04 15:35:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Local Settings\Application Data\Apple Computer
[2009/11/28 04:38:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Local Settings\Application Data\Mozilla
[2009/11/27 22:52:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ali\Application Data\Malwarebytes
[2009/11/27 22:49:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/26 22:14:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/26 21:37:02 | 00,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2009/11/26 21:35:41 | 00,000,000 | ---D | C] -- C:\Program Files\Zune
[2009/11/26 21:33:02 | 00,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2009/11/26 21:33:01 | 00,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2fs.dll
[2009/11/26 21:33:01 | 00,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2fs.dll
[2009/11/26 21:33:01 | 00,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2.dll
[2009/11/26 21:33:01 | 00,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2.dll
[2009/11/21 14:41:46 | 00,000,000 | ---D | C] -- C:\Nikkala
[2009/11/14 08:29:58 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/14 08:29:58 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/14 08:29:58 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/13 23:37:13 | 00,093,360 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2008/09/16 16:49:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/04/21 06:04:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/02/17 06:20:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/11/06 13:08:58 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2009/12/12 12:09:59 | 00,013,661 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/12 11:47:33 | 12,582,912 | -H-- | M] () -- C:\Documents and Settings\Ali\NTUSER.DAT
[2009/12/12 11:46:26 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/12 11:45:49 | 02,246,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/12 11:45:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/12 11:45:29 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/12 11:45:25 | 21,371,16672 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/12 11:44:16 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Ali\ntuser.ini
[2009/12/12 11:28:42 | 00,477,900 | ---- | M] () -- C:\Documents and Settings\Ali\My Documents\cc_20091212_112634.reg
[2009/12/12 11:01:45 | 04,811,516 | -H-- | M] () -- C:\Documents and Settings\Ali\Local Settings\Application Data\IconCache.db
[2009/12/12 09:01:48 | 00,362,846 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/12 08:44:47 | 00,000,113 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2009/12/12 08:06:23 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/10 03:33:15 | 00,539,836 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/10 03:33:15 | 00,455,316 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/10 03:33:15 | 00,075,264 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/01 01:00:16 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/11/28 10:36:37 | 00,109,208 | ---- | M] () -- C:\Documents and Settings\Ali\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/26 22:14:15 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2009/11/26 22:14:15 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2009/11/26 22:09:59 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2009/11/26 21:37:08 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2009/11/26 21:37:05 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2009/11/17 13:31:25 | 00,663,552 | ---- | M] () -- C:\Documents and Settings\Ali\My Documents\Dan's Stereo Warehouse.accdb
[2009/11/17 11:34:11 | 00,000,709 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/17 11:34:11 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/17 11:34:11 | 00,000,209 | RHS- | M] () -- C:\boot.ini
[2009/11/17 11:24:43 | 00,208,166 | ---- | M] () -- C:\Documents and Settings\Ali\Desktop\10206878.accdt
[2009/11/15 01:09:43 | 00,000,336 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/11/13 23:37:05 | 00,093,360 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

========== Files Created - No Company Name ==========

[2009/12/12 11:26:44 | 00,477,900 | ---- | C] () -- C:\Documents and Settings\Ali\My Documents\cc_20091212_112634.reg
[2009/11/28 04:35:06 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Ali\Local Settings\Application Data\DSwitch.txt
[2009/11/28 04:35:05 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Ali\Local Settings\Application Data\QSwitch.txt
[2009/11/28 04:35:05 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Ali\Local Settings\Application Data\AtStart.txt
[2009/11/26 22:14:15 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2009/11/26 22:14:15 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2009/11/26 22:09:59 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_09_00.Wdf
[2009/11/26 21:37:08 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2009/11/26 21:37:05 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2009/11/17 11:46:58 | 00,663,552 | ---- | C] () -- C:\Documents and Settings\Ali\My Documents\Dan's Stereo Warehouse.accdb
[2009/11/17 11:24:43 | 00,208,166 | ---- | C] () -- C:\Documents and Settings\Ali\Desktop\10206878.accdt
[2009/10/23 17:44:21 | 00,002,634 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
[2009/09/07 18:29:00 | 00,000,027 | ---- | C] () -- C:\WINDOWS\SmartAudio.INI
[2009/09/02 17:15:37 | 00,000,210 | ---- | C] () -- C:\Documents and Settings\Ali\Application Data\1c64-ec47-1438-983d_6279rc
[2009/03/08 13:41:11 | 00,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2009/03/06 19:48:38 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/12/03 19:39:05 | 00,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/11/01 07:15:27 | 00,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2008/04/21 17:19:51 | 00,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2008/04/21 17:19:51 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2008/02/04 17:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/03/07 01:34:33 | 00,001,260 | ---- | C] () -- C:\Documents and Settings\Ali\Application Data\wklnhst.dat
[2007/02/15 21:34:58 | 00,002,019 | ---- | C] () -- C:\Documents and Settings\Ali\Application Data\Cosmos Prefs
[2006/11/06 13:51:16 | 00,000,174 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/11/06 13:48:58 | 00,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/11/06 13:30:03 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/06 13:22:54 | 00,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/03/28 05:51:10 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/03/28 05:18:26 | 00,002,895 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/03/28 05:15:24 | 00,000,113 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/03/28 05:12:08 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/12/02 10:09:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/05 22:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/13 11:46:34 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2002/11/20 17:51:34 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll

========== Custom Scans ==========

< %ALLUSERSPROFILE%\Application Data\*. >
[2009/11/28 10:01:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/09/13 14:22:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/01/10 23:41:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2008/10/14 22:41:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Blizzard
[2009/09/04 19:24:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
[2007/02/15 19:01:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2008/12/19 10:46:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.4 Output
[2009/07/26 18:03:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2008/05/20 19:57:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Funcom
[2009/02/07 09:21:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gtek
[2008/04/19 16:54:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2006/11/06 13:31:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP
[2006/11/06 12:04:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2006/11/06 13:51:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2009/12/12 08:16:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/11/27 22:49:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/20 08:21:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/12/12 08:18:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/12/10 03:05:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2007/10/31 09:54:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2009/03/21 16:54:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MyHeritage
[2006/11/06 12:04:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2006/11/06 12:04:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic
[2009/12/12 12:53:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/02/09 10:57:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2007/08/03 04:03:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/04/21 05:43:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/05/22 20:39:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/08/15 09:05:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2005/06/16 00:08:46 | 02,393,338 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Intuit\Quicken\Sku\Qnue\Custom\inprod_deluxe.exe
[2005/06/16 02:07:48 | 03,514,373 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Intuit\Quicken\Sku\Qnue\Custom\inprod_premier.exe
[2005/06/16 00:10:04 | 02,402,304 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Intuit\Quicken\Sku\Qnue\Custom\inprod_qnue.exe
[2005/06/16 00:10:28 | 03,410,304 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Intuit\Quicken\Sku\Qnue\Custom\quicken_start.exe

< %APPDATA%\*. >
[2009/09/20 08:57:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Adobe
[2009/11/27 07:02:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\AdobeUM
[2009/02/09 10:52:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Amazon
[2009/01/10 23:42:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Apple Computer
[2009/02/07 12:01:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Citrix
[2009/07/26 13:26:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Download Manager
[2008/12/19 10:46:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\eFax Messenger
[2007/10/21 15:18:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\funkitron
[2007/02/15 19:22:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Google
[2009/02/07 09:21:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\GTek
[2007/02/15 19:00:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\HP
[2009/02/07 12:00:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\ICAClient
[2009/02/13 07:17:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Identities
[2006/11/06 13:51:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Intuit
[2008/12/19 10:45:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\j2 Global
[2009/06/27 12:32:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\LimeWire
[2007/02/15 18:29:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Macromedia
[2009/11/27 22:52:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Malwarebytes
[2009/11/26 21:35:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Ali\Application Data\Microsoft
[2007/02/15 18:31:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Mozilla
[2009/06/22 11:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\MozillaControl
[2009/09/02 17:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\My Sam's Club Digital Photo Center
[2009/03/21 16:46:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\MyHeritage
[2009/09/06 09:39:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\OpenOffice.org2
[2009/12/05 22:14:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Participatory Culture Foundation
[2009/02/09 11:06:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Real
[2007/03/10 20:26:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Sun
[2009/03/06 19:46:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\SystemRequirementsLab
[2008/06/10 17:41:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\teamspeak2
[2007/03/31 00:54:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Template
[2009/01/24 18:56:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\uTorrent
[2009/07/23 13:19:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Ventrilo
[2007/06/02 08:23:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\WinRAR
[2009/01/02 18:45:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Wizards of the Coast
[2009/05/22 20:33:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ali\Application Data\Yahoo!

< %APPDATA%\*.exe /s >
[2009/06/24 19:24:23 | 00,163,840 | ---- | M] (Mozilla Foundation) -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
[2009/06/24 19:24:27 | 00,196,608 | ---- | M] (Mozilla Foundation) -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\updater.exe
[2009/06/24 19:24:27 | 00,014,848 | ---- | M] () -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
[2009/06/24 19:24:27 | 00,077,824 | ---- | M] (Mozilla Foundation) -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
[2009/06/24 19:24:28 | 00,266,240 | ---- | M] (Mozilla Foundation) -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\xpidl.exe
[2009/06/24 19:24:28 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
[2009/06/24 19:24:28 | 00,014,336 | ---- | M] () -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
[2009/06/24 19:24:28 | 00,073,728 | ---- | M] (Mozilla Foundation) -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
[2009/06/24 19:24:28 | 00,102,400 | ---- | M] (Mozilla Foundation) -- C:\Documents and Settings\Ali\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
[2009/06/08 12:59:42 | 00,319,488 | ---- | M] (Octoshape ApS) -- C:\Documents and Settings\Ali\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
[2008/04/19 16:54:16 | 00,045,056 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Ali\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
[2006/03/28 04:53:28 | 00,010,134 | R--- | M] () -- C:\Documents and Settings\Ali\Application Data\Microsoft\Installer\{52FBAE98-D389-4281-8C14-21B4046CCB4E}\ARPPRODUCTICON.exe
[2006/03/28 04:53:34 | 00,010,134 | R--- | M] () -- C:\Documents and Settings\Ali\Application Data\Microsoft\Installer\{B16AF568-A644-483C-A6DA-5028CD019C8C}\ARPPRODUCTICON.exe
[2008/03/02 10:25:28 | 00,329,264 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\Ali\Application Data\Real\RealPlayer\Update\RealPlayer11GOLD.exe
[2009/03/06 19:46:57 | 00,071,624 | ---- | M] () -- C:\Documents and Settings\Ali\Application Data\SystemRequirementsLab\SystemRequirementsLab.exe

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4BB26BE9
< End of report >

#5 hammerman

Group: Member
Posts: 4,183
Joined: 28-November 08

Posted 13 December 2009 - 01:46 PM

Hi,

Do you have the GMER log?

#6 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 13 December 2009 - 04:47 PM

Here is that log.. Sorry it took awhile for the scan to run.

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-13 14:45:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ali\LOCALS~1\Temp\ufloiaog.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA2B7978A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA2B79821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA2B79738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA2B7974C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA2B79835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA2B79861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA2B798CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA2B798B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA2B797CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA2B798FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA2B7980D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA2B79710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA2B79724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA2B7979E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA2B79937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA2B798A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA2B7988D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA2B7984B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA2B79923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA2B7990F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA2B79776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA2B79762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA2B79877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA2B797F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA2B798E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA2B797E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA2B797B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A2B797B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A2B7978E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A2B797CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A2B797E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A2B797A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A2B79714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A2B79728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A2B79766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A2B79750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A2B7973C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A2B7977A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A2B797FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A2B79891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A2B7987B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP A2B798E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A2B798A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A2B7984F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP A2B79825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A2B79839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A2B79865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP A2B798D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A2B798BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A2B79811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A2B7993B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP A2B79913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP A2B79927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP A2B798FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB8860EBF]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB00A4
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0093
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0076
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F77
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F30
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F4B
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F1F
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0065
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB00C9
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F66
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00680FCA
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00680073
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00680FDB
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0068001B
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00680062
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0068000A
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00680051
.text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00680040
.text C:\WINDOWS\system32\svchost.exe[380] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00670FB0
.text C:\WINDOWS\system32\svchost.exe[380] msvcrt.dll!system 77C293C7 5 Bytes JMP 00670FC1
.text C:\WINDOWS\system32\svchost.exe[380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0067001D
.text C:\WINDOWS\system32\svchost.exe[380] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00670FE3
.text C:\WINDOWS\system32\svchost.exe[380] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00670FD2
.text C:\WINDOWS\system32\svchost.exe[380] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670000
.text C:\WINDOWS\system32\svchost.exe[380] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[380] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[380] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00660FC8
.text C:\WINDOWS\system32\svchost.exe[380] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00660FAD
.text C:\WINDOWS\system32\svchost.exe[380] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F5007B
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F86
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F97
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50FA8
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F33
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F50
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50EEC
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50EFD
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50096
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50040
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FDB
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50F6B
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F18
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F8B
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060F9C
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01200FEF
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01200087
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01200076
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01200F9C
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01200065
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01200040
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01200F46
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01200098
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012000C4
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01200F2B
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01200F10
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01200FB9
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01200014
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01200F6D
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01200FDE
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0120002F
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012000A9
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FCD
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF006F
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0FB2
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF0054
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0039
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FC1
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE004C
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FD2
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0027
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE000C
.text C:\WINDOWS\system32\lsass.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02690FEF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0269006C
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02690F6D
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02690047
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02690036
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02690025
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02690F41
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02690F52
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026900B5
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026900A4
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026900DA
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02690F94
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02690FDE
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0269007D
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02690014
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02690FC3
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02690F26
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02680F9E
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02680F57
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02680FB9
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02680FD4
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02680014
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02680FEF
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02680F72
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 8A]
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02680F8D
.text C:\WINDOWS\system32\svchost.exe[1124] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 026A000A
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02620053
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 02620042
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02620FE3
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02620000
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02620FC8
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02620011
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 02440014
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02440FEF
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02440FDE
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02440031
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02430FE5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC009A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0FA5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC007F
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0FC0
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0051
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F6D
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F8A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00F5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC00E4
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC0106
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0062
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0025
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC00AB
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FDB
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0036
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC0F5C
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0040
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0FB9
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB002F
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0014
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0076
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB005B
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0027
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0FA6
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FD2
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FB7
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0FE3
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D90027
.text C:\WINDOWS\system32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CE0FEF
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02CE004C
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02CE0F57
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02CE0F68
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02CE0F79
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02CE001B
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02CE0067
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02CE0F21
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02CE0ECE
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02CE0EE9
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02CE0EB3
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02CE0F94
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02CE0FCA
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02CE0F3C
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02CE0000
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02CE0FAF
.text C:\WINDOWS\System32\svchost.exe[1384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02CE0F04
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02CD001E
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02CD0065
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02CD0FC3
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02CD0FD4
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02CD0054
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02CD0FEF
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02CD0043
.text C:\WINDOWS\System32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02CD0FB2
.text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02CC0069
.text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!system 77C293C7 5 Bytes JMP 02CC0058
.text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02CC0FDE
.text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02CC000C
.text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02CC0033
.text C:\WINDOWS\System32\svchost.exe[1384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02CC0FEF
.text C:\WINDOWS\System32\svchost.exe[1384] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 02CB0FEF
.text C:\WINDOWS\System32\svchost.exe[1384] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02CB0000
.text C:\WINDOWS\System32\svchost.exe[1384] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02CB0027
.text C:\WINDOWS\System32\svchost.exe[1384] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02CB0FD4
.text C:\WINDOWS\System32\svchost.exe[1384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02CA0FE5
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0067007B
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0067006A
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00670F86
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00670043
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0067001E
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00670096
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00670F4E
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00670F29
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006700C2
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006700DD
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00670F97
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00670FDE
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00670F75
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00670FA8
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00670FC3
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006700B1
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066005B
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0066004A
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660FA8
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0065003A
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0065000C
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0065001D
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 001B0031
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E900AB
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90FB6
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90090
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90073
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E9003D
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F8A
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E900D2
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900F7
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F68
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E9011C
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90058
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90FA5
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F79
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80047
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E8008E
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E8002C
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E8007D
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E80FDB
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [08, 89]
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70F9A
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70025
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FC6
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70FB5
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FE3
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\svchost.exe[1632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0071
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F72
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00B0
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0093
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00CB
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F3C
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F17
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0082
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F4D
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0073
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[1736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0F90
.text C:\WINDOWS\system32\svchost.exe[1736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FA1
.text C:\WINDOWS\system32\svchost.exe[1736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FCD
.text C:\WINDOWS\system32\svchost.exe[1736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FBC
.text C:\WINDOWS\system32\svchost.exe[1736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00BA0FBE
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00BA0FAD
.text C:\WINDOWS\system32\svchost.exe[1736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D2005E
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20F69
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20043
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20F86
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20FA8
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20096
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F4E
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D200C2
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D200A7
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D20F0E
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D20F97
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D20079
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D20FCD
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\system32\svchost.exe[2216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D20F33
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C1002C
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10F94
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C10FC0
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[2216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00F75
.text C:\WINDOWS\system32\svchost.exe[2216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00F90
.text C:\WINDOWS\system32\svchost.exe[2216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[2216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FE3
.text C:\WINDOWS\system32\svchost.exe[2216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FA1
.text C:\WINDOWS\system32\svchost.exe[2216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FC6
.text C:\WINDOWS\system32\svchost.exe[2216] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[2216] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[2216] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[2216] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00BF0042
.text C:\WINDOWS\system32\svchost.exe[2216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD006E
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FD1
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD009F
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F57
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F3C
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00D5
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F21
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FB6
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F68
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[2316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00BA
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FDB
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0087
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C002C
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C001B
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C006C
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0FC0
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\system32\svchost.exe[2316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0047
.text C:\WINDOWS\system32\svchost.exe[2316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0F9C
.text C:\WINDOWS\system32\svchost.exe[2316] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0FB7
.text C:\WINDOWS\system32\svchost.exe[2316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FE3
.text C:\WINDOWS\system32\svchost.exe[2316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0000
.text C:\WINDOWS\system32\svchost.exe[2316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\system32\svchost.exe[2316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B001D
.text C:\WINDOWS\system32\svchost.exe[2316] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\system32\svchost.exe[2316] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 006A0000
.text C:\WINDOWS\system32\svchost.exe[2316] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 006A0025
.text C:\WINDOWS\system32\svchost.exe[2316] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 006A0036
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C004A
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F55
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F66
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F8D
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0F9E
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F1F
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F30
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C008C
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0EF3
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00A7
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0025
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C005B
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0000
.text C:\WINDOWS\Explorer.EXE[3180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F04
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B001B
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B006F
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0FA8
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B004A
.text C:\WINDOWS\Explorer.EXE[3180] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\Explorer.EXE[3180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C005D
.text C:\WINDOWS\Explorer.EXE[3180] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FD2
.text C:\WINDOWS\Explorer.EXE[3180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FE3
.text C:\WINDOWS\Explorer.EXE[3180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0042
.text C:\WINDOWS\Explorer.EXE[3180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C001D
.text C:\WINDOWS\Explorer.EXE[3180] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 002E0FE5
.text C:\WINDOWS\Explorer.EXE[3180] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 002E0000
.text C:\WINDOWS\Explorer.EXE[3180] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 002E001B
.text C:\WINDOWS\Explorer.EXE[3180] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 002E0FD4
.text C:\WINDOWS\Explorer.EXE[3180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01060F6D
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0106006C
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060F92
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01060051
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060FB9
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01060F50
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01060098
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010600C7
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01060F2E
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01060F09
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060040
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01060FCA
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01060087
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0106001B
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0106000A
.text C:\WINDOWS\system32\dllhost.exe[3420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01060F3F
.text C:\WINDOWS\system32\dllhost.exe[3420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0058
.text C:\WINDOWS\system32\dllhost.exe[3420] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FCD
.text C:\WINDOWS\system32\dllhost.exe[3420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0022
.text C:\WINDOWS\system32\dllhost.exe[3420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\dllhost.exe[3420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0033
.text C:\WINDOWS\system32\dllhost.exe[3420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0105001B
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0105006C
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01050FC0
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01050047
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01050036
.text C:\WINDOWS\system32\dllhost.exe[3420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01050FAF
.text C:\WINDOWS\system32\dllhost.exe[3420] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\dllhost.exe[3420] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\dllhost.exe[3420] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\dllhost.exe[3420] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FE003D
.text C:\WINDOWS\system32\dllhost.exe[3420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs CtxSbx.sys (Citrix Application Isolation Environment Driver/Citrix Systems, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat CtxSbx.sys (Citrix Application Isolation Environment Driver/Citrix Systems, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A56B618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#7 hammerman

Group: Member
Posts: 4,183
Joined: 28-November 08

Posted 13 December 2009 - 07:06 PM

Hi,

Please follow these steps.

-- Step 1 --

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent malware removal tools from fixing certain things.
Please disable TeaTimer for now until you are clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

-- Step 2 --

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O21 - SSODL: huloseger - {6fb0d2c2-bb14-4496-a999-f8f24f158d8d} - CLSID or File not found.
O22 - SharedTaskScheduler: {6fb0d2c2-bb14-4496-a999-f8f24f158d8d} - kupuhivus - Reg Error: Key error. File not found
O32 - AutoRun File - [2004/04/30 15:01:14 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\Shell\AutoRun - "" = Auto&Play
MsConfig - StartUpReg: hoyuwubom - hkey= - key= - File not found

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
This fix will produce a report. Please add this to your reply.

-- Step 3 --

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind
atapi.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

-- Step 4 --

Run OTL

When the window appears, underneath Output at the top change it to Minimal Output.
Under the Custom Scans/Fixes box paste this in the following.

/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
Click on the None button.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open a notepad window, OTL.Txt. This is saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

#8 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 13 December 2009 - 07:38 PM

Ok.. I completed Step 1 to turn off TeaTimer.

Step 2 Log from OLT:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\huloseger deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6fb0d2c2-bb14-4496-a999-f8f24f158d8d}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{6fb0d2c2-bb14-4496-a999-f8f24f158d8d} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6fb0d2c2-bb14-4496-a999-f8f24f158d8d}\ not found.
D:\Autorun.inf moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0cf5b3d1-95c0-11db-97a7-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\hoyuwubom\ deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Ali
->Temp folder emptied: 8399187 bytes
->Temporary Internet Files folder emptied: 366721 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 60145547 bytes

User: All Users

User: Ctx_StreamingSvc
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 3396222 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 14179169 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 82.48 mb

OTL by OldTimer - Version 3.1.16.0 log created on 12132009_173135

Files\Folders moved on Reboot...
C:\WINDOWS\temp\fla203.tmp moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MBNV8GAL\controller[1] moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IUTKGUX0\controller[1] moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IUTKGUX0\join[1].php moved successfully.

Registry entries deleted on Reboot...

#9 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 13 December 2009 - 07:42 PM

Step 3: System Look Log

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:39 on 13/12/2009 by Ali (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [17:26 01/06/2008] [06:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [17:21 01/06/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [14:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys --a--c 95360 bytes [21:15 06/11/2006] [14:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#10 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 13 December 2009 - 07:43 PM

Step 4: OLT Log

OTL logfile created on: 12/13/2009 5:41:00 PM - Run 3
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Ali\Desktop\Anti Malware Programs
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.29 Gb Available Physical Memory | 64.86% Memory free
3.33 Gb Paging File | 2.75 Gb Available in Paging File | 82.57% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 96.91 Gb Total Space | 45.28 Gb Free Space | 46.72% Space Free | Partition Type: NTFS
Drive D: | 13.86 Gb Total Space | 1.02 Gb Free Space | 7.38% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 580.61 Gb Total Space | 196.81 Gb Free Space | 33.90% Space Free | Partition Type: NTFS

Computer Name: SILVERSTREAK
Current User Name: Ali
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Custom Scans ==========

< MD5 for: AGP440.SYS >
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 07:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 06:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 07:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/10/13 01:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\SWSETUP\HDD\iastor.sys
[2005/10/13 01:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 07:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >

#11 hammerman

Group: Member
Posts: 4,183
Joined: 28-November 08

Posted 13 December 2009 - 07:55 PM

Hi,

Please follow these steps.

-- Step 1 --

Go to Start -> Run... and enter notepad
Copy/paste the contents of the following code box into notepad.

@ECHO OFF
copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\atapi.sys
DEL %0

In notepad, select File -> Save As... and in the dropdown box set Save as type: to All Files
Save the file as fcopy.bat on your desktop
Close notepad and double-click on fcopy.bat. A small black box may appear - this is normal.

-- Step 2 --

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
c:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

-- Step 3 --

Run a GMER scan and post the log.

#12 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 13 December 2009 - 08:08 PM

Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not move file "c:\atapi.sys"
File move operation "c:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

Running GMER next. Will post.

#13 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 14 December 2009 - 02:31 AM

GMER log:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 00:30:25
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ali\LOCALS~1\Temp\ufloiaog.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA212878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA2128821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA2128738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA212874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA2128835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA2128861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA21288CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA21288B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA21287CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA21288FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA212880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA2128710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA2128724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA212879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA2128937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA21288A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA212888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA212884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA2128923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA212890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA2128776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA2128762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA2128877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA21287F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA21288E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA21287E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA21287B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A21287B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A212878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A21287CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A21287E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A21287A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A2128714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A2128728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A2128766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A2128750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A212873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A212877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A21287FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A2128891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A212887B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 2 Bytes JMP A21288E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey + 3 80622065 4 Bytes [B0, 21, 90, 90] {MOV AL, 0x21; NOP ; NOP }
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A21288A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A212884F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP A2128825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A2128839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A2128865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP A21288D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A21288BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A2128811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A212893B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP A2128913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP A2128927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP A21288FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? tktlqmz.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB8A51EBF]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F2006C
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20F77
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20F92
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20051
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F20F3A
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F4B
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F200D3
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F200AE
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F20F15
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F20FAF
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F2000A
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F20F5C
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F2002C
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F2001B
.text C:\WINDOWS\Explorer.EXE[156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F2009D
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F1001B
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10F6F
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F1000A
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10FD4
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F1002C
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10F94
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\Explorer.EXE[156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10FA5
.text C:\WINDOWS\Explorer.EXE[156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00FAB
.text C:\WINDOWS\Explorer.EXE[156] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00FBC
.text C:\WINDOWS\Explorer.EXE[156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00011
.text C:\WINDOWS\Explorer.EXE[156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00FE3
.text C:\WINDOWS\Explorer.EXE[156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F0002C
.text C:\WINDOWS\Explorer.EXE[156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00000
.text C:\WINDOWS\Explorer.EXE[156] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00EF001B
.text C:\WINDOWS\Explorer.EXE[156] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00EF0000
.text C:\WINDOWS\Explorer.EXE[156] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00EF002C
.text C:\WINDOWS\Explorer.EXE[156] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00EF0049
.text C:\WINDOWS\Explorer.EXE[156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0067
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB00A9
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F61
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00D8
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F3F
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00E9
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0082
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F50
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0068001E
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0068005E
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00680FCD
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00680FDE
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0068004D
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00680FA1
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 88]
.text C:\WINDOWS\system32\svchost.exe[596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00680FBC
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00670FA6
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00670027
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00670FD2
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00670FC1
.text C:\WINDOWS\system32\svchost.exe[596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670000
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00660011
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0066002C
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00660FD9
.text C:\WINDOWS\system32\svchost.exe[596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0093
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0082
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00BF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0F41
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00DA
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F30
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00AE
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F5C
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060042
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\services.exe[936] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0069
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F7E
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0058
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF009C
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF008B
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00C8
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00AD
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F14
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF007A
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F39
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0FB2
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA005E
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA0FC3
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0FA1
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA0039
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0028
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FAB
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FE3
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90FC6
.text C:\WINDOWS\system32\lsass.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00F80036
.text C:\WINDOWS\system32\lsass.exe[948] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02690FE5
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0269003D
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02690F48
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02690F6F
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0269002C
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02690FA5
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02690F19
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0269005F
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02690EFE
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02690097
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02690EED
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02690F8A
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02690000
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0269004E
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02690FC0
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0269001B
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0269007C
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02680000
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02680F80
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02680FB9
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02680FD4
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02680047
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02680FE5
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0268002C
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02680011
.text C:\WINDOWS\system32\svchost.exe[1128] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 026A000A
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0267004E
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 0267003D
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02670FDE
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02670FCD
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02670018
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 02560FDE
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02560016
.text C:\WINDOWS\system32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02560FC3
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02550000
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E00075
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E00064
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E00053
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E00036
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E00F9E
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E00F5E
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E00F6F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E00F21
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E00F32
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E000DF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E00025
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E00FD4
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E00090
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E00FB9
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E00F4D
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DF0FB2
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DF0F7C
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DF0FCD
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DF0FDE
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DF0F97
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DF0039
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DF001E
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE0F89
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE0FA4
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0FC6
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE0FB5
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE0FE3
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0000
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031C0FE5
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031C0089
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031C0078
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031C0F94
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031C0FA5
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031C0036
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031C00C1
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031C0F79
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031C00F7
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031C00DC
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031C0108
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 031C0051
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 031C0000
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031C00A4
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 031C0FCA
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 031C001B
.text C:\WINDOWS\System32\svchost.exe[1348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031C0F5E
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 031B0011
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 031B0F9E
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 031B0FC0
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 031B0000
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 031B005B
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 031B0FE5
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 031B0FAF
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3B, 8B]
.text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 031B0036
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02A70F9C
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!system 77C293C7 5 Bytes JMP 02A70FAD
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02A70FD2
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02A70000
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02A70027
.text C:\WINDOWS\System32\svchost.exe[1348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02A70FE3
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 02A6001B
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02A60000
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02A6002C
.text C:\WINDOWS\System32\svchost.exe[1348] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02A60049
.text C:\WINDOWS\System32\svchost.exe[1348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02A50000
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00670F26
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00670F41
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00670025
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00670F68
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00670F9E
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00670EE4
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00670036
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00670EC2
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00670ED3
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0067006C
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00670F83
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00670F0B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00670FAF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00670FCA
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00670051
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660F9E
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0066005B
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FAB
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065002C
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FC6
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FD7
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0F66
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0F8B
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB0065
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB0054
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB0098
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB0087
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB0F24
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB00B3
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0F09
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0FA8
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0076
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB0F35
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA0058
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA0FDB
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA0047
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EA002C
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90F90
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FA1
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90FB2
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00E80031
.text C:\WINDOWS\system32\svchost.exe[1628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0067
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F68
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0042
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F37
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0089
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0EFA
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F0B
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0EDF
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0078
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F26
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FAF
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80F8A
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70064
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FD9
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7002E
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B7000C
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70049
.text C:\WINDOWS\system32\svchost.exe[1728] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7001D
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00B6002C
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00B60FCF
.text C:\WINDOWS\system32\svchost.exe[1728] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20039
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20F3A
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20F61
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20F7C
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20014
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20F0E
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F1F
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20EF3
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D2008C
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D200A7
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D20F8D
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D2004A
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D20FB2
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D20FC3
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D20071
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10076
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10025
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10051
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C0005F
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C0003A
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00029
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[2484] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD005E
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0043
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F69
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F86
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F31
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0079
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00A8
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F05
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00B9
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F97
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F4E
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F16
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FAF
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F57
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FC0
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FDB
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0F68
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0F79
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0F94
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B002C
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B001B
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FC6
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FB5
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0000
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 006A0FD4
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 006A0016
.text C:\WINDOWS\system32\svchost.exe[2640] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 006A0FB9
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0106008B
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0106007A
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060069
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01060FAC
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0106003D
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01060F4A
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01060F65
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010600C8
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010600B7
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010600E3
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0106004E
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0106001B
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0106009C
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060FDB
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0106002C
.text C:\WINDOWS\system32\dllhost.exe[3744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01060F39
.text C:\WINDOWS\system32\dllhost.exe[3744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF004C
.text C:\WINDOWS\system32\dllhost.exe[3744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC1
.text C:\WINDOWS\system32\dllhost.exe[3744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\dllhost.exe[3744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\dllhost.exe[3744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0031
.text C:\WINDOWS\system32\dllhost.exe[3744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01050014
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01050FA8
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01050FC3
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0105006F
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01050054
.text C:\WINDOWS\system32\dllhost.exe[3744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0105002F
.text C:\WINDOWS\system32\dllhost.exe[3744] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\dllhost.exe[3744] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\dllhost.exe[3744] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FE0042
.text C:\WINDOWS\system32\dllhost.exe[3744] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FE0053
.text C:\WINDOWS\system32\dllhost.exe[3744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs CtxSbx.sys (Citrix Application Isolation Environment Driver/Citrix Systems, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat CtxSbx.sys (Citrix Application Isolation Environment Driver/Citrix Systems, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A5B1618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#14 hammerman

Group: Member
Posts: 4,183
Joined: 28-November 08

Posted 14 December 2009 - 07:49 AM

Hi,

Do you have your Windows XP CD?

Please follow these steps.

-- Step 1 --

Run Avenger with this script and post the log.

Begin copying here:
Files to move:
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

-- Step 2 --

Please download BootCheck.exe to your desktop.

Double click BootCheck.exe to run the check
When complete, a Notepad window will open with a report
Please copy and paste the contents of this report in your next reply

#15 Alistair1982

Group: Member
Posts: 14
Joined: 12-December 09

Posted 14 December 2009 - 12:59 PM

Unfortunately I don't think this PC came with the actual CD, though I can look again when I get home from work. When I got it from the Manufacturer it just had recommendation to make a restore CD, which of course I never did. I kept everything from when it was shipped, so I will look again just to verify.

Avenger Log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not move file "C:\WINDOWS\$NtServicePackUninstall$\atapi.sys"
File move operation "C:\WINDOWS\$NtServicePackUninstall$\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

BOOTCHECK LOG:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of C:\boot.ini:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Website redirection & New tab Pop Ups [Closed] - Geeks to Go Forums