Jump to content

EPOCLICK - please help!!!


shoppie
 Share

Recommended Posts

:)

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Link to post
Share on other sites

:)

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Maybe I did something wrong but OTL only gave me one file "OTL.TXT"

OTL logfile created on: 11/14/2010 10:55:26 AM - Run 2

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Shoppie's\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.84 Gb Total Space | 127.34 Gb Free Space | 54.69% Space Free | Partition Type: NTFS

Computer Name: SHOPPIE-LAP | User Name: Shoppie's | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Shoppie's\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe (McAfee, Inc.)

PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)

PRC - C:\Program Files\Application Updater\ApplicationUpdater.exe (Spigot, Inc.)

PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)

PRC - c:\drivers\audio\R211990\stacsv.exe (IDT, Inc.)

PRC - C:\WINDOWS\system32\AESTFltr.exe (Andrea Electronics Corporation)

PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

PRC - C:\WINDOWS\system32\drivers\o2flash.exe (O2Micro International)

PRC - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (Adobe Systems Incorporated)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Shoppie's\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found

SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)

SRV - (mfevtp) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe (McAfee, Inc.)

SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)

SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (WPFFontCache_v0400) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)

SRV - (clr_optimization_v4.0.30319_32) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)

SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)

SRV - (McNaiAnn) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)

SRV - (mcmscsvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)

SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)

SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)

SRV - (Application Updater) -- C:\Program Files\Application Updater\ApplicationUpdater.exe (Spigot, Inc.)

SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation)

SRV - (STacSV) -- c:\drivers\audio\R211990\stacsv.exe (IDT, Inc.)

SRV - (O2FLASH) -- C:\WINDOWS\system32\drivers\o2flash.exe (O2Micro International)

SRV - (AdobeActiveFileMonitor7.0) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (Adobe Systems Incorporated)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\DOCUME~1\SHOPPI~1\LOCALS~1\Temp\catchme.sys File not found

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)

DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)

DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)

DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)

DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)

DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)

DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)

DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (O2MDGRDR) -- C:\WINDOWS\system32\drivers\o2mdg.sys (O2Micro )

DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)

DRV - (iastor) -- C:\WINDOWS\system32\drivers\iastor.sys (Intel Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)

DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)

DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)

DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)

DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)

DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)

DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)

DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)

DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)

DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)

DRV - (DLACDBHM) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Roxio)

DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Roxio)

DRV - (ICDUSB2) Sony IC Recorder (P) -- C:\WINDOWS\system32\drivers\IcdUsb2.sys (Sony Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/

IE - HKCU\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/11/02 15:35:49 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/11/13 14:22:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20101102163737.dll (McAfee, Inc.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)

O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)

O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()

O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

O4 - HKLM..\Run: [searchSettings] C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe (Spigot, Inc.)

O4 - HKLM..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)

O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - Startup: C:\Documents and Settings\Shoppie's\Start Menu\Programs\Startup\Picaboo.lnk = C:\Program Files\Picaboo\Picaboo\PicabooMain.exe (Picaboo)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1279116965859 (MUWebControl Class)

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.disneyphotopass.com/software/ImageUploader4.cab (Image Uploader Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 213.109.65.44

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Shoppie's\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Shoppie's\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/07/14 07:59:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/14 10:48:31 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Shoppie's\Desktop\OTL.exe

[2010/11/13 14:17:18 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/11/13 14:13:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/11/13 14:13:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/11/13 14:13:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/11/13 14:13:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/11/13 14:12:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/11/13 14:12:53 | 000,000,000 | --SD | C] -- C:\ComboFix

[2010/11/13 14:12:22 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/11/13 13:27:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/11/13 13:27:03 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/11/13 13:27:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/11/13 13:27:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/11/13 13:27:03 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/11/13 13:19:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt

[2010/11/13 10:57:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

[2010/11/13 10:56:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Shoppie's\Application Data\Office Genuine Advantage

[2010/11/13 09:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Shoppie's\Application Data\Malwarebytes

[2010/11/13 09:34:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/11/13 09:34:13 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/11/13 09:34:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/11/13 09:34:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/11/13 09:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Shoppie's\Application Data\ElevatedDiagnostics

[2010/11/13 09:24:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell

[2010/11/13 08:53:57 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/11/13 08:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK

[2010/11/13 08:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA

[2010/11/11 06:07:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2010/10/31 16:58:40 | 000,031,744 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\drivers\ICDSX.sys

[2010/10/31 16:58:23 | 000,039,048 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\drivers\IcdUsb2.sys

[2010/10/31 16:58:21 | 000,026,409 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\drivers\Icdusb.sys

[2010/10/31 16:58:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\RegisteredPackages

[2010/10/31 16:57:48 | 000,052,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\msdv.sys

[2010/10/31 16:57:48 | 000,052,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdv.sys

[2010/10/31 16:57:48 | 000,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mpe.sys

[2010/10/31 16:57:48 | 000,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mpe.sys

[2010/10/31 16:57:48 | 000,011,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bdasup.sys

[2010/10/31 16:57:48 | 000,011,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdasup.sys

[2010/10/31 16:57:47 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdaplgin.ax

[2010/10/31 16:57:47 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bdaplgin.ax

[2010/10/31 16:57:47 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksolay.ax

[2010/10/31 16:57:44 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dxdllreg.exe

[2010/10/31 16:57:44 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pid.dll

[2010/10/31 16:57:34 | 001,656,168 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdShlex.dll

[2010/10/31 16:57:34 | 001,340,656 | R--- | C] (Gracenote, Inc.) -- C:\WINDOWS\System32\CDDBControlSony.dll

[2010/10/31 16:57:34 | 001,029,360 | R--- | C] (Gracenote) -- C:\WINDOWS\System32\CDDBUISony.dll

[2010/10/31 16:57:34 | 000,586,992 | R--- | C] (Gracenote) -- C:\WINDOWS\System32\CddbLinkSony.dll

[2010/10/31 16:57:34 | 000,214,376 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\ICDFConv.dll

[2010/10/31 16:57:34 | 000,132,456 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdYsys.dll

[2010/10/31 16:57:34 | 000,066,920 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\DSConv.dll

[2010/10/31 16:57:34 | 000,062,824 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\StrmOut.dll

[2010/10/31 16:57:33 | 000,573,440 | R--- | C] (http://www.id3lib.org/) -- C:\WINDOWS\System32\id3lib.dll

[2010/10/31 16:57:33 | 000,348,160 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\MP3Enc.dll

[2010/10/31 16:57:33 | 000,329,064 | R--- | C] (Sony corporation) -- C:\WINDOWS\System32\LPEC.dll

[2010/10/31 16:57:33 | 000,322,920 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdXa.dll

[2010/10/31 16:57:33 | 000,255,336 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdStor2.dll

[2010/10/31 16:57:33 | 000,238,952 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdComm4.dll

[2010/10/31 16:57:33 | 000,226,664 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdComm3.dll

[2010/10/31 16:57:33 | 000,226,664 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdComm2.dll

[2010/10/31 16:57:33 | 000,136,552 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdSConv.dll

[2010/10/31 16:57:33 | 000,120,168 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\spiccDve.dll

[2010/10/31 16:57:33 | 000,120,168 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\spicc.dll

[2010/10/31 16:57:33 | 000,107,880 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdMSCom.dll

[2010/10/31 16:57:33 | 000,099,688 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdSptSv.exe

[2010/10/31 16:57:33 | 000,079,208 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdSpiDve.dll

[2010/10/31 16:57:33 | 000,079,208 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdSpi.dll

[2010/10/31 16:57:33 | 000,071,016 | R--- | C] (Sony corporation) -- C:\WINDOWS\System32\rcnv2.dll

[2010/10/31 16:57:33 | 000,062,824 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\icdcomm.dll

[2010/10/31 16:57:33 | 000,034,152 | R--- | C] ( Sony/AC???) -- C:\WINDOWS\System32\spc.dll

[2010/10/31 16:57:33 | 000,021,864 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdShare.dll

[2010/10/31 16:57:32 | 000,099,688 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdCddaDve.dll

[2010/10/31 16:57:32 | 000,099,688 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdCdda.dll

[2010/10/31 16:57:32 | 000,079,208 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\ICDUSB2.dll

[2010/10/31 16:57:32 | 000,079,208 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\ICDUSB.dll

[2010/10/31 16:57:32 | 000,071,016 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\ICDUSB3.dll

[2010/10/31 16:57:25 | 000,995,328 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\lcstde.ax

[2010/10/31 16:57:25 | 000,131,072 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdSrc3.ax

[2010/10/31 16:57:25 | 000,118,784 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\Mp3Src.ax

[2010/10/31 16:57:25 | 000,110,592 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\trcsp.ax

[2010/10/31 16:57:25 | 000,110,592 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\lpecsp.ax

[2010/10/31 16:57:25 | 000,110,592 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\lcstsp.ax

[2010/10/31 16:57:25 | 000,102,400 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\msvdec.ax

[2010/10/31 16:57:25 | 000,102,400 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdPars.ax

[2010/10/31 16:57:25 | 000,077,824 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdSrc2.ax

[2010/10/31 16:57:25 | 000,073,728 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\icdsrc.ax

[2010/10/31 16:57:25 | 000,073,728 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\DPCtrl.ax

[2010/10/31 16:57:25 | 000,069,632 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\trcde.ax

[2010/10/31 16:57:25 | 000,069,632 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\lpecde.ax

[2010/10/31 16:57:25 | 000,065,536 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\IcdAfs.ax

[2010/10/31 16:57:24 | 000,053,248 | R--- | C] (Sony Corporation) -- C:\WINDOWS\System32\AudiDest.ax

[2010/10/31 16:57:08 | 000,000,000 | ---D | C] -- C:\Program Files\Sony

[2010/10/31 09:49:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Shoppie's\Application Data\Roxio

[2010/10/31 09:48:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Shoppie's\Application Data\CyberLink

[2010/10/31 09:43:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LightScribe

[2010/10/24 10:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Shoppie's\Application Data\TaxCut

[2010/10/24 10:04:52 | 000,000,000 | ---D | C] -- C:\Program Files\PDF995

[2010/10/24 10:04:52 | 000,000,000 | ---D | C] -- C:\Program Files\HRBlock2009

[2010/10/24 10:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TaxCut

[2010/10/16 13:11:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Shoppie's\Local Settings\Application Data\Temp

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/14 10:48:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Shoppie's\Desktop\OTL.exe

[2010/11/14 10:16:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/11/14 10:01:00 | 000,000,242 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2010/11/14 08:09:19 | 000,060,991 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001

[2010/11/13 14:26:21 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/11/13 14:23:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/11/13 14:23:15 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk

[2010/11/13 14:23:14 | 000,200,610 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2010/11/13 14:23:11 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/11/13 14:23:11 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job

[2010/11/13 14:23:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/11/13 14:22:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/11/13 14:17:25 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2010/11/13 13:26:52 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010/11/13 13:26:52 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/11/13 13:26:52 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/11/13 13:26:52 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/11/13 13:26:52 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/11/13 10:25:18 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk

[2010/11/13 09:34:16 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/13 08:49:37 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Shoppie's\Desktop\Internet.lnk

[2010/11/12 03:01:24 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/11/11 06:13:58 | 000,484,472 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/11/11 06:13:58 | 000,080,320 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/11/11 06:09:36 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Shoppie's\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2010/11/10 21:07:59 | 000,070,764 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/11/10 21:04:03 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe

[2010/10/31 18:35:17 | 000,002,341 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/10/31 18:14:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\DVEdit.INI

[2010/10/31 16:57:36 | 000,000,665 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Digital Voice Editor 3.lnk

[2010/10/31 09:44:04 | 000,001,774 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LightScribe.lnk

[2010/10/31 09:10:53 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Shoppie's\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/10/27 18:18:04 | 000,328,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/10/26 20:28:30 | 000,060,991 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat

[2010/10/24 10:25:23 | 000,061,980 | ---- | M] () -- C:\Documents and Settings\Shoppie's\Desktop\HRBlock.pdf

[2010/10/24 10:05:28 | 000,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2009.lnk

[2010/10/19 16:20:14 | 000,095,626 | ---- | M] () -- C:\Documents and Settings\Shoppie's\My Documents\xmas 2010.pptx

[2010/10/19 10:41:44 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/13 14:17:25 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/11/13 14:17:23 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2010/11/13 14:13:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/11/13 14:13:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/11/13 14:13:00 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/11/13 14:13:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/11/13 14:13:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/11/13 09:34:16 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/13 08:56:04 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/11/13 08:49:37 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Shoppie's\Desktop\Internet.lnk

[2010/11/13 08:42:33 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job

[2010/11/12 11:28:17 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk

[2010/10/31 18:14:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI

[2010/10/31 16:58:21 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\trc.dll

[2010/10/31 16:57:49 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2010/10/31 16:57:49 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\dllcache\psisdecd.dll

[2010/10/31 16:57:49 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\psisrndr.ax

[2010/10/31 16:57:49 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\psisrndr.ax

[2010/10/31 16:57:48 | 000,052,224 | ---- | C] () -- C:\WINDOWS\System32\msdvbnp.ax

[2010/10/31 16:57:48 | 000,052,224 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdvbnp.ax

[2010/10/31 16:57:36 | 000,000,665 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Digital Voice Editor 3.lnk

[2010/10/31 16:57:34 | 000,010,600 | R--- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll

[2010/10/31 16:57:33 | 000,124,264 | R--- | C] () -- C:\WINDOWS\System32\mp3dec.dll

[2010/10/31 16:57:33 | 000,081,920 | R--- | C] () -- C:\WINDOWS\System32\dsp_trc.dll

[2010/10/31 09:44:04 | 000,001,774 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\LightScribe.lnk

[2010/10/24 10:25:21 | 000,061,980 | ---- | C] () -- C:\Documents and Settings\Shoppie's\Desktop\HRBlock.pdf

[2010/10/24 10:05:28 | 000,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2009.lnk

[2010/10/19 16:20:14 | 000,095,626 | ---- | C] () -- C:\Documents and Settings\Shoppie's\My Documents\xmas 2010.pptx

[2010/09/09 10:00:46 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Shoppie's\Local Settings\Application Data\fusioncache.dat

[2010/09/09 09:55:18 | 000,000,064 | ---- | C] () -- C:\WINDOWS\PrintWorkShop2005LE.ini

[2010/09/01 08:35:07 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll

[2010/08/28 18:32:50 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll

[2010/07/15 16:46:52 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\Shoppie's\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/07/14 10:35:05 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2010/07/14 10:08:39 | 000,002,326 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2010/07/14 09:26:43 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2010/07/14 08:06:15 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll

[2010/07/14 08:06:15 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll

[2010/07/14 08:06:15 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll

[2010/07/14 08:06:14 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll

[2010/07/14 03:42:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2002/12/11 18:19:34 | 000,708,608 | ---- | C] () -- C:\WINDOWS\System32\ltcry13n.dll

[2002/12/11 18:19:34 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\lttls13n.dll

[2000/04/12 16:28:12 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll

[2000/04/12 16:24:10 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll

========== LOP Check ==========

[2010/08/28 07:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData

[2010/10/24 10:04:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut

[2010/07/14 10:36:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall

[2010/07/14 10:33:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/08/08 08:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shoppie's\Application Data\4Media

[2010/11/13 09:24:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shoppie's\Application Data\ElevatedDiagnostics

[2010/07/22 04:53:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shoppie's\Application Data\Picaboo

[2010/07/15 17:15:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shoppie's\Application Data\Search Settings

[2010/10/24 10:05:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shoppie's\Application Data\TaxCut

[2010/07/15 17:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shoppie's\Application Data\YouTube Downloader

[2010/11/13 14:26:21 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2010/11/13 14:23:11 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

[2010/11/14 10:01:00 | 000,000,242 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

:)

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-11-14 12:59:01

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0

Running: gmer.exe; Driver: C:\DOCUME~1\SHOPPI~1\LOCALS~1\Temp\uxliykoc.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DEE0E0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DEE0F4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DEE120]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DEE176]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DEE0CC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DEE0A4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DEE0B8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DEE10A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DEE14C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DEE136]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DEE1A0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DEE18C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DEE160]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DEE164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B9DEE17A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B9DEE190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP B9DEE150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B9DEE0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B9DEE0BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B9DEE1A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B9DEE13A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B9DEE10E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B9DEE0E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B9DEE0F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B9DEE124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B9DEE0D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB87F0360, 0x3347AD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[460] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00000

.text C:\WINDOWS\system32\svchost.exe[460] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00FD4

.text C:\WINDOWS\system32\svchost.exe[460] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00FEF

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F94

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0089

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF006C

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FAF

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0047

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F63

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00B5

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00FC

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00EB

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F3E

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FC0

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FDB

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00A4

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF002C

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF001B

.text C:\WINDOWS\system32\svchost.exe[460] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00C6

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20FE5

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C2005B

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20036

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C2001B

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20F9E

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20000

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C20FB9

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 88] {LOOP 0xffffffffffffff8a}

.text C:\WINDOWS\system32\svchost.exe[460] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20FD4

.text C:\WINDOWS\system32\svchost.exe[460] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10027

.text C:\WINDOWS\system32\svchost.exe[460] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10016

.text C:\WINDOWS\system32\svchost.exe[460] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10FB7

.text C:\WINDOWS\system32\svchost.exe[460] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FEF

.text C:\WINDOWS\system32\svchost.exe[460] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10FA6

.text C:\WINDOWS\system32\svchost.exe[460] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10FDE

.text C:\WINDOWS\Explorer.EXE[1028] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DD0FEF

.text C:\WINDOWS\Explorer.EXE[1028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DD0FD4

.text C:\WINDOWS\Explorer.EXE[1028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01F00FEF

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01F0007B

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01F0006A

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01F00F90

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01F0004D

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01F00FBC

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01F00F49

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01F00F5A

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01F000C7

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01F00F2E

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01F000E2

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01F00FAB

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01F00FDE

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01F00F75

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01F00FCD

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01F00014

.text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01F000AC

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01EF0FB9

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01EF0076

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01EF000A

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01EF0FD4

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01EF0051

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01EF0FE5

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01EF0036

.text C:\WINDOWS\Explorer.EXE[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01EF0025

.text C:\WINDOWS\Explorer.EXE[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E70038

.text C:\WINDOWS\Explorer.EXE[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E70027

.text C:\WINDOWS\Explorer.EXE[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E70016

.text C:\WINDOWS\Explorer.EXE[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E70FEF

.text C:\WINDOWS\Explorer.EXE[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E70FC1

.text C:\WINDOWS\Explorer.EXE[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E70FDE

.text C:\WINDOWS\Explorer.EXE[1028] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DE0000

.text C:\WINDOWS\Explorer.EXE[1028] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DE0FDB

.text C:\WINDOWS\Explorer.EXE[1028] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DE0FCA

.text C:\WINDOWS\Explorer.EXE[1028] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00DE0FAF

.text C:\WINDOWS\Explorer.EXE[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E10000

.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0090000A

.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900FE5

.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0090001B

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FE5

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F6F

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0064

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0047

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F8A

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FAF

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F54

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0090

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F17

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F28

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00D5

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0036

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0000

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0075

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FCA

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0011

.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F43

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0036

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0FA5

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0025

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FEF

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0058

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FC0

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]

.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0047

.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0093002C

.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FAB

.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FC6

.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000

.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930011

.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FD7

.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00910000

.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00910FE5

.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0091001B

.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 0091002C

.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000

.text C:\WINDOWS\system32\services.exe[1464] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00970FEF

.text C:\WINDOWS\system32\services.exe[1464] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0097000A

.text C:\WINDOWS\system32\services.exe[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00970FD4

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE000A

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0091

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0076

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F92

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE005B

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FCD

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F61

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00B3

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00FA

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00D5

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F46

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE004A

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FEF

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE00A2

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE002F

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FDE

.text C:\WINDOWS\system32\services.exe[1464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00C4

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0FC0

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0F94

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD001B

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0FE5

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0FA5

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FD0047

.text C:\WINDOWS\system32\services.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD002C

.text C:\WINDOWS\system32\services.exe[1464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FAD

.text C:\WINDOWS\system32\services.exe[1464] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FC8

.text C:\WINDOWS\system32\services.exe[1464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A002E

.text C:\WINDOWS\system32\services.exe[1464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000

.text C:\WINDOWS\system32\services.exe[1464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FD9

.text C:\WINDOWS\system32\services.exe[1464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A001D

.text C:\WINDOWS\system32\services.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF

.text C:\WINDOWS\system32\lsass.exe[1476] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0000

.text C:\WINDOWS\system32\lsass.exe[1476] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0FD4

.text C:\WINDOWS\system32\lsass.exe[1476] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FE5

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F10000

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F10F91

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F10086

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F10075

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F10058

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F10FD1

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F100B2

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F10F76

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F100DE

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F100CD

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F10F34

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F10FB6

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F1001B

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F100A1

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F1003D

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F1002C

.text C:\WINDOWS\system32\lsass.exe[1476] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F10F4F

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FCA

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F94

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD001B

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD000A

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0051

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0036

.text C:\WINDOWS\system32\lsass.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FB9

.text C:\WINDOWS\system32\lsass.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FBE

.text C:\WINDOWS\system32\lsass.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0053

.text C:\WINDOWS\system32\lsass.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0027

.text C:\WINDOWS\system32\lsass.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3

.text C:\WINDOWS\system32\lsass.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0038

.text C:\WINDOWS\system32\lsass.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000

.text C:\WINDOWS\system32\lsass.exe[1476] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0000

.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F4000A

.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F40FDB

.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F4001B

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02420FEF

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02420F81

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0242006C

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02420F92

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0242005B

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02420040

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02420F3A

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02420F55

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024200AE

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0242009D

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024200BF

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02420FB9

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0242000A

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02420F66

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0242001B

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02420FD4

.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02420F29

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02410047

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02410FCA

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02410036

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0241001B

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0241007D

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02410000

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02410FDB

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [61, 8A]

.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02410062

.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FA6

.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC1

.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD2

.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0031

.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF000C

.text C:\WINDOWS\system32\svchost.exe[1668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F50FEF

.text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D20000

.text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D20025

.text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D20FE5

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D6007A

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60F7B

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D6005F

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D6004E

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D6003D

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F39

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F60

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600B7

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F1E

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60F0D

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60FB6

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60011

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D6008B

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60FD1

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60022

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D6009C

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D5002C

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50069

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D5001B

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D5000A

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50058

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FEF

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50047

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FC0

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40033

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40022

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40011

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40000

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FBC

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FE3

.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FE5

.text C:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04630FE5

.text C:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04630014

.text C:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04630FD4

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 046E0FEF

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 046E0F63

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 046E0062

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 046E0F7E

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 046E0FA5

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 046E002C

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 046E0F3C

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 046E008E

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 046E009F

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 046E0F10

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 046E00B0

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 046E0047

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 046E000A

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 046E007D

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 046E0FC0

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 046E001B

.text C:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 046E0F2B

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 046D002F

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 046D0FAB

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 046D0FDE

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 046D0FEF

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 046D0FBC

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 046D0000

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 046D005E

.text C:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 046D0FCD

.text C:\WINDOWS\System32\svchost.exe[1820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 046C0F9C

.text C:\WINDOWS\System32\svchost.exe[1820] msvcrt.dll!system 77C293C7 5 Bytes JMP 046C0FB7

.text C:\WINDOWS\System32\svchost.exe[1820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 046C000C

.text C:\WINDOWS\System32\svchost.exe[1820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 046C0FEF

.text C:\WINDOWS\System32\svchost.exe[1820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 046C0027

.text C:\WINDOWS\System32\svchost.exe[1820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 046C0FDE

.text C:\WINDOWS\System32\svchost.exe[1820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 046B0FEF

.text C:\WINDOWS\System32\svchost.exe[1820] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04650FEF

.text C:\WINDOWS\System32\svchost.exe[1820] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04650FDE

.text C:\WINDOWS\System32\svchost.exe[1820] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04650014

.text C:\WINDOWS\System32\svchost.exe[1820] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 04650FC3

.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00850FEF

.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00850FD4

.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0085000A

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00890000

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00890F77

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00890076

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00890F9E

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00890FAF

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00890040

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00890F55

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00890F66

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008900CC

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00890F29

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008900DD

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00890051

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00890FE5

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00890091

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00890FD4

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00890025

.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00890F3A

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00880025

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00880F86

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00880FDE

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0088000A

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00880F97

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00880FEF

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00880FA8

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A8, 88] {TEST AL, 0x88}

.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00880FB9

.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870077

.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00870066

.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0087003A

.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870000

.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870055

.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00870029

.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00860FEF

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[2000] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FC0FEF

.text C:\WINDOWS\system32\svchost.exe[2000] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FC0FCA

.text C:\WINDOWS\system32\svchost.exe[2000] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FC000A

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010F0FE5

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010F0051

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010F0040

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010F0F72

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010F0F8D

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010F0F9E

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010F0093

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010F0078

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010F0EF0

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010F0F15

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010F00A4

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010F0025

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010F0FD4

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010F0F41

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010F0FB9

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010F000A

.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010F0F30

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010E0014

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010E0051

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010E0FC3

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010E0FD4

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010E0040

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010E0FEF

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010E0025

.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010E0FA8

.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010D005F

.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!system 77C293C7 5 Bytes JMP 010D0FCA

.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010D0FEF

.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010D000C

.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010D003A

.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010D0029

.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010C0FEF

.text C:\WINDOWS\System32\svchost.exe[4040] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F50000

.text C:\WINDOWS\System32\svchost.exe[4040] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F50FD4

.text C:\WINDOWS\System32\svchost.exe[4040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F50FE5

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F94

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F4007F

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40FA5

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40062

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40036

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F400A4

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F68

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F26

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400BF

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F400E4

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40051

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40000

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40F83

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40025

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FCA

.text C:\WINDOWS\System32\svchost.exe[4040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40F41

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FE5

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F8008E

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F8002C

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80011

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80073

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F80062

.text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80047

.text C:\WINDOWS\System32\svchost.exe[4040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70FA8

.text C:\WINDOWS\System32\svchost.exe[4040] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F7003D

.text C:\WINDOWS\System32\svchost.exe[4040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70011

.text C:\WINDOWS\System32\svchost.exe[4040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70FEF

.text C:\WINDOWS\System32\svchost.exe[4040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F7002C

.text C:\WINDOWS\System32\svchost.exe[4040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70000

.text C:\WINDOWS\System32\svchost.exe[4040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[136] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[136] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Ask Toolbar

Zynga Toolbar

Run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

Run ESET Online Scan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

      You can refer to this animation by neomage if needed.
Link to post
Share on other sites

C:\lj1010seriesprintsys\hp LaserJet 1010 Series.msi probably a variant of Win32/Genetik trojan deleted - quarantined

C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Program Files\YouTube Downloader Toolbar\SearchSettings.dll.vir Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Program Files\YouTube Downloader Toolbar\IE\1.0\youtubedownloaderToolbarIE.dll.vir Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\System Volume Information\_restore{A239518A-CE65-458E-AB48-52B00E3FC303}\RP138\A0022335.dll Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\System Volume Information\_restore{A239518A-CE65-458E-AB48-52B00E3FC303}\RP138\A0022336.dll Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\System Volume Information\_restore{A239518A-CE65-458E-AB48-52B00E3FC303}\RP141\A0027161.msi probably a variant of Win32/Genetik trojan deleted - quarantined

C:\System Volume Information\_restore{A239518A-CE65-458E-AB48-52B00E3FC303}\RP141\A0027162.exe Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\System Volume Information\_restore{A239518A-CE65-458E-AB48-52B00E3FC303}\RP141\A0027163.exe Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

Link to post
Share on other sites

That is very good to hear. I would like to run a few more tests to be sure you are clean :)

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Launch Malwarebytes' Anti-Malware

  • Check and make sure MBAM is up-to-date. If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.