askey127,
I have downloaded and run GMER Rootkit Scanner and Combofix. For GMER, I was not able to fully complete the scan because my computer would reboot before finishing. I attempted to run it multiple times with the same result. However, I was able to save the GMER log file up to the point where the computer would reboot. I will try to run the GMER scan again later tonight and repost the log file upon successful completion.
-------------------GMER log -----------------
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-05-19 19:02:37
Windows 5.1.2600 Service Pack 3
Running: e19ogmgd.exe; Driver: C:\DOCUME~1\bryan\LOCALS~1\Temp\axtdqpow.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB76A878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB76A8738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB76A874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB76A87CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB76A8710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB76A8724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB76A879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB76A8776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB76A8762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB76A87F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB76A87E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB76A87B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution 80515A92 7 Bytes JMP B76A87B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP B76A878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP B76A8766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP B76A87E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP B76A87CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP B76A8714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP B76A87A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP B76A8750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP B76A87FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP B76A873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1941 5 Bytes JMP B76A8728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8063597F 5 Bytes JMP B76A877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF7491780]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE00A1
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0FAC
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE007A
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0069
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE003D
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00D4
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00C3
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F56
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00F9
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F45
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0058
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00B2
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002C
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE001B
.text C:\WINDOWS\System32\svchost.exe[736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F71
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F8A
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FB9
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FCA
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930047
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930036
.text C:\WINDOWS\System32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930025
.text C:\WINDOWS\System32\svchost.exe[736] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920022
.text C:\WINDOWS\System32\svchost.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920011
.text C:\WINDOWS\System32\svchost.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920000
.text C:\WINDOWS\System32\svchost.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FAB
.text C:\WINDOWS\System32\svchost.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD2
.text C:\WINDOWS\System32\svchost.exe[736] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[736] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[736] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[736] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900025
.text C:\WINDOWS\System32\svchost.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007007D
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F92
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FA3
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F6D
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700DA
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700EB
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070098
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FBE
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050049
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050038
.text C:\WINDOWS\system32\services.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C000BC
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C000A1
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00FC7
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00084
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00058
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C000F4
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00FAC
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00131
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00116
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00142
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00069
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C0001B
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C000CD
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00047
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C0002C
.text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00105
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\lsass.exe[956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FAB
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FBC
.text C:\WINDOWS\system32\lsass.exe[956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD7
.text C:\WINDOWS\system32\lsass.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024E000A
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024E0F9C
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024E0091
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024E0076
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024E005B
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024E002F
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024E00AC
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024E0F64
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024E00D1
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024E0F38
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024E00EC
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024E004A
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024E0FEF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024E0F81
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024E0FCD
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024E0FDE
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024E0F49
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024D0FAF
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024D0058
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024D0FC0
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024D0FE5
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024D0047
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024D0000
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 024D0036
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024D001B
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 024C006C
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 024C0FD7
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 024C0022
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 024C0000
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 024C003D
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 024C0011
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02450000
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0076
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0F81
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED005B
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0F9E
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0FB9
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED00AE
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED0091
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED0F29
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED0F3A
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00ED00DD
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED0040
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED0014
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED0F66
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED0025
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0FD4
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED0F4B
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0C, 89] {OR AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0036
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0FC8
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB005D
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0FE3
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB0042
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB001D
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0371000A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03710089
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03710078
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03710067
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03710FA8
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0371004A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 037100AB
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0371009A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03710F23
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037100BC
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 037100D7
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03710FB9
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0371001B
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03710F79
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03710FDE
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03710FEF
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03710F3E
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0370002C
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0370007D
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03700FDB
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03700011
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0370006C
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03700000
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03700FC0
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [90, 8B]
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03700047
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02BA0F92
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 02BA0FAD
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02BA0FC8
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02BA0FEF
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02BA001D
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02BA000C
.text C:\WINDOWS\System32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B90FEF
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02B80FE5
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02B8000A
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02B80FD4
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02B80FC3
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00940FE5
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00940F88
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0094007D
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0094006C
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0094005B
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00940025
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009400BA
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009400A9
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00940F4D
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009400E6
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00940F28
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00940040
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00940FD4
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00940098
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00940FB9
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0094000A
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009400D5
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930036
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006C
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FAF
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FC0
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930047
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920066
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FDB
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092003A
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920055
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092001D
.text C:\WINDOWS\System32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FE5
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B9004F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F5A
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F6B
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B9001E
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90F97
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F11
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F2E
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900AA
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B9008F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90EEC
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90F7C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F3F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B9006A
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80062
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80025
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80051
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B80040
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FC1
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FD2
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7001D
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70038
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C20FEF
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C2007A
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C20069
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C2004E
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C20F91
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C2002C
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C200B2
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C20F6A
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C20F2D
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C20F3E
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C20F12
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C2003D
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C20000
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C2008B
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C2001B
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C20FCA
.text C:\WINDOWS\Explorer.EXE[1936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C20F59
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 021F001B
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 021F0F83
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 021F0FCA
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 021F0FE5
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 021F0F9E
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 021F0000
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 021F0040
.text C:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 021F0FB9
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 021E0FB2
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!system 77C293C7 5 Bytes JMP 021E0FC3
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 021E0033
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 021E0FEF
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 021E0FDE
.text C:\WINDOWS\Explorer.EXE[1936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 021E0018
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 021C0000
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 021C001B
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 021C0036
.text C:\WINDOWS\Explorer.EXE[1936] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 021C0FDB
.text C:\WINDOWS\Explorer.EXE[1936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 021D000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B007D
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F88
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0062
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00BA
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00A9
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F57
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00E6
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F3C
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0098
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00D5
.text C:\WINDOWS\system32\wuauclt.exe[2884] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2884] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2884] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2884] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[2884] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2884] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0029
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B004A
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[2884] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE005B
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F66
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0F83
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0040
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE002F
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F2E
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F49
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00A2
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F13
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00BD
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0000
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0076
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\System32\svchost.exe[3008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0091
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD0FDB
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD006F
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD002C
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD001B
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD0FA8
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0000
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0FB9
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\WINDOWS\System32\svchost.exe[3008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\System32\svchost.exe[3008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC003D
.text C:\WINDOWS\System32\svchost.exe[3008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC002C
.text C:\WINDOWS\System32\svchost.exe[3008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC0FC6
.text C:\WINDOWS\System32\svchost.exe[3008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0FE3
.text C:\WINDOWS\System32\svchost.exe[3008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0011
.text C:\WINDOWS\System32\svchost.exe[3008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\SearchIndexer.exe[3392] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027D0000
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027D0F80
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027D007F
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027D0FA5
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027D0FB6
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027D0051
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027D0F52
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027D0F6F
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027D0F2D
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027D00C6
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027D00E1
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027D0062
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027D001B
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027D009A
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027D0036
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027D00AB
.text C:\WINDOWS\system32\wuauclt.exe[3952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027B0042
.text C:\WINDOWS\system32\wuauclt.exe[3952] msvcrt.dll!system 77C293C7 5 Bytes JMP 027B0FB7
.text C:\WINDOWS\system32\wuauclt.exe[3952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[3952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027B0000
.text C:\WINDOWS\system32\wuauclt.exe[3952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027B0FD2
.text C:\WINDOWS\system32\wuauclt.exe[3952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027B001D
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027C0033
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027C0F94
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027C0022
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027C0011
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027C0FA5
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027C0000
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027C0FB6
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 8A]
.text C:\WINDOWS\system32\wuauclt.exe[3952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027C0FC7
.text C:\WINDOWS\system32\wuauclt.exe[3952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027A0FEF
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\atapi \Device\Ide\IdePort0 [F7484B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F7484B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7484B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7484B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F7484B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F7484B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
--------------------Combofix Log---------------------------------
ComboFix 10-05-19.02 - bryan 05/19/2010 19:27:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2053 [GMT -7:00]
Running from: c:\documents and settings\bryan\Desktop\zzz.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\bryan\Application Data\iniasd.txt
c:\documents and settings\bryan\Application Data\MBSCGPlugin2509.dll
c:\documents and settings\bryan\Application Data\MBSIconPlugin2510.dll
c:\documents and settings\bryan\Application Data\MBSMainPlugin2510.dll
c:\documents and settings\bryan\Application Data\MBSPicturePlugin2510.dll
c:\documents and settings\bryan\Application Data\MBSRegistrationPlugin2455.dll
c:\documents and settings\bryan\Application Data\MBSWindowPlugin2510.dll
c:\documents and settings\bryan\Application Data\MBSWinPlugin2510.dll
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll
c:\windows\Tasks.\sypcsnzi.job
c:\windows\Tasks.\sypcsnzi.job . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IAS
-------\Legacy_ICF
-------\Legacy_IPRIP
-------\Service_Ias
((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.
2010-05-15 02:04 . 2010-05-15 02:04 -------- d-----w- c:\program files\iPod
2010-05-15 02:03 . 2010-05-15 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-15 01:54 . 2010-05-15 01:54 -------- d-----w- c:\program files\Bonjour
2010-05-14 05:28 . 2010-05-14 05:28 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-14 05:27 . 2010-05-14 05:23 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-14 05:27 . 2010-05-14 05:22 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-14 05:27 . 2007-05-20 22:38 70602 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Web Player\DivXWebPlayerUninstall.exe
2010-05-14 05:27 . 2010-05-14 05:27 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-14 05:27 . 2010-05-14 05:27 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-14 05:27 . 2010-05-14 05:27 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-14 05:27 . 2010-05-14 05:27 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-14 05:25 . 2010-05-14 05:25 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-05-14 05:25 . 2010-05-14 05:25 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-05-14 05:25 . 2010-05-14 05:25 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-14 05:25 . 2010-05-14 05:25 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-14 05:25 . 2010-05-14 05:25 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-05-14 05:25 . 2010-05-14 05:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-14 05:25 . 2010-05-14 05:25 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-14 05:23 . 2010-05-14 05:23 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-14 05:23 . 2010-05-14 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-14 04:18 . 2010-05-14 04:18 388096 ----a-r- c:\documents and settings\bryan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 05:11 . 2010-05-13 05:11 96512 ----a-w- c:\windows\system32\drivers\whnivetk.sys
2010-05-11 05:16 . 2010-05-11 05:16 256 ----a-w- c:\windows\system32\pool.bin
2010-05-11 05:16 . 2010-05-11 05:16 -------- d-----w- c:\documents and settings\bryan\Application Data\Research In Motion
2010-05-11 05:15 . 2010-05-11 05:15 -------- d-----w- c:\program files\Research In Motion
2010-05-11 05:15 . 2009-01-09 23:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-05-11 05:14 . 2010-05-11 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-05-11 05:14 . 2010-05-11 05:14 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-11 05:13 . 2010-05-11 05:14 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-05-05 05:53 . 2010-05-05 05:53 503808 ------w- c:\documents and settings\bryan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6090b25d-n\msvcp71.dll
2010-05-05 05:53 . 2010-05-05 05:53 499712 ------w- c:\documents and settings\bryan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6090b25d-n\jmc.dll
2010-05-05 05:53 . 2010-05-05 05:53 348160 ------w- c:\documents and settings\bryan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6090b25d-n\msvcr71.dll
2010-05-05 05:53 . 2010-05-05 05:53 61440 ------w- c:\documents and settings\bryan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-32164bef-n\decora-sse.dll
2010-05-05 05:53 . 2010-05-05 05:53 12800 ------w- c:\documents and settings\bryan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-32164bef-n\decora-d3d.dll
2010-05-05 05:52 . 2010-05-05 05:52 -------- d-----w- c:\program files\Common Files\Java
2010-05-05 05:52 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 05:41 . 2010-05-05 05:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-05 05:40 . 2010-05-05 05:40 86016 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-05 05:39 . 2010-05-14 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-01 18:39 . 2010-05-01 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-05-01 14:42 . 2010-05-01 14:42 96512 ----a-w- c:\windows\system32\drivers\djznojba.sys
2010-05-01 08:16 . 2010-05-13 05:11 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-30 07:01 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-28 22:45 . 2010-04-28 22:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 02:39 . 2003-10-15 07:22 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000002-80611102}.dat
2010-05-20 02:39 . 2003-10-15 07:22 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000009-00001102-00000002-80611102}.dat
2010-05-19 06:15 . 2005-04-26 23:40 -------- d-----w- c:\program files\DAP
2010-05-19 06:08 . 2008-05-23 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-15 02:53 . 2004-05-03 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-15 02:04 . 2007-07-24 03:37 -------- d-----w- c:\program files\Common Files\Apple
2010-05-14 05:27 . 2007-05-20 22:38 -------- d-----w- c:\program files\DivX
2010-05-14 05:26 . 2010-05-14 05:26 -------- d-----w- c:\documents and settings\bryan\Application Data\DivX
2010-05-14 05:26 . 2010-05-14 05:26 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-14 05:26 . 2010-05-14 05:26 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-14 05:26 . 2010-05-14 05:26 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-14 05:26 . 2010-05-14 05:26 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-14 05:26 . 2010-05-14 05:26 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-14 05:26 . 2010-05-14 05:26 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-14 05:26 . 2010-05-14 05:26 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-03-31 01:58 . 2004-09-07 17:33 44944 ----a-w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-10 06:15 . 2003-10-08 03:39 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2001-08-23 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 02:01 . 2009-10-31 20:27 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-10-10 06:53 . 2009-10-10 06:53 17810 ------w- c:\program files\Common Files\mimo.dat
2009-10-10 06:53 . 2009-10-10 06:53 14813 ------w- c:\program files\Common Files\exyga.inf
2009-10-10 06:53 . 2009-10-10 06:53 13187 ------w- c:\program files\Common Files\qatutec.vbs
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2004-08-18 586896]
"USIUDF_Eject_Monitor"="c:\program files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-05-28 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-01-14 892928]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-03 24576]
"nwiz"="nwiz.exe" [2005-04-01 1495040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="e:\program files cont\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="e:\program files cont\iTunes\iTunesHelper.exe" [2010-04-28 142120]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-13 110592]
Mozilla Firefox.lnk - e:\mozilla firefox\firefox.exe [2006-10-25 910296]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files Cont\\limewire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files Cont\\iTunes\\iTunes.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [02/10/2010 12:19 AM 93320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [01/10/2007 9:09 PM 24652]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 lkbdhlpr;Logitech Keyboard Class Helper Driver;c:\windows\system32\Drivers\lkbdhlpr.sys --> c:\windows\system32\Drivers\lkbdhlpr.sys [?]
S3 LinksysFVNETusbl(AR)(R);Linksys FVNETusbl(AR)(R) Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\drivers\vnetusbl.sys [03/09/2004 7:48 PM 108032]
S3 Ndisusb;GeneLink Network Driver;c:\windows\system32\drivers\genelan.sys [01/31/2010 4:44 PM 11328]
S3 Usblink;Usblink Driver;c:\windows\system32\Drivers\ulink.sys --> c:\windows\system32\Drivers\ulink.sys [?]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [07/15/2004 4:41 PM 72704]
S3 VNic;ULan Network Driver Module;c:\windows\system32\DRIVERS\VNic.sys --> c:\windows\system32\DRIVERS\VNic.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-10 20:22]
2010-02-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-10 20:22]
2010-05-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
2010-05-18 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 12:48]
2010-05-20 c:\windows\Tasks\User_Feed_Synchronization-{E2DF7562-F9E4-4797-8CB5-B316E653DAE4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.sbc.yahoo.com/uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bryan\Application Data\Mozilla\Firefox\Profiles\29hul15v.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com/ig?hl=enFF - component: c:\documents and settings\bryan\Application Data\Mozilla\Firefox\Profiles\29hul15v.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: e:\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: e:\program files cont\Adobe\Reader\browser\nppdf32.dll
FF - plugin: e:\program files cont\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files cont\Picasa3\npPicasa3.dll
FF - plugin: e:\program files cont\QuickTime\Plugins\npqtplugin.dll
FF - plugin: e:\program files cont\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: e:\program files cont\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: e:\program files cont\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: e:\program files cont\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: e:\program files cont\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: e:\program files cont\QuickTime\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
e:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Advanced SystemCare 3 - e:\program files cont\IObit\Advanced SystemCare 3\AWC.exe
MSConfigStartUp-IObit Security 360 - e:\program files cont\IObit\IObit Security 360\IS360tray.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-19 19:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8AB948C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf758fcb8
\Driver\atapi -> atapi.sys @ 0xf7484b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1600)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\windows\system32\nvwddi.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-19 19:52:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-20 02:52
Pre-Run: 4,396,724,224 bytes free
Post-Run: 4,262,096,896 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - A97917799DA3A6751F783465231CD4AB