Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #1  
Old April 27th, 2012, 01:33 AM
speedracer's Avatar
speedracer speedracer is offline
Senior Member
 
Join Date: Feb 2003
O/S: Windows XP Pro
Location: Charlotte, NC
Age: 44
Posts: 193
Feeling Bugged

My computer started running a little slow a few days ago. Last night my desktop theme had been changed and my Outlook settings have been changed. I've had problems connecting to the internet and now my PC is very slow. I've run Malewarebytes in Safe Mode without finding anything.
Reply With Quote


  #2  
Old April 27th, 2012, 10:46 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,144
Hello speedracer,

Let's take a look.

If the system is Vista/Windows7, when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool.

And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If you can have an open Internet connection, and allow it to download the latest Avast engine detections.
  • If avast! antivirus is already installed, just do the next step.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


A lot, but comprehensive, and will make sure we get a good view of everything.
Reply With Quote
  #3  
Old April 28th, 2012, 02:44 AM
speedracer's Avatar
speedracer speedracer is offline
Senior Member
 
Join Date: Feb 2003
O/S: Windows XP Pro
Location: Charlotte, NC
Age: 44
Posts: 193
Many thanks for your help Jintan!

Here is the OLT logs:

OTL logfile created on: 4/27/2012 8:19:01 PM - Run 1
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Dad\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.94 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 46.92% Memory free
6.09 Gb Paging File | 4.41 Gb Available in Paging File | 72.54% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.79 Gb Total Space | 40.99 Gb Free Space | 18.40% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 0.00 Gb Free Space | 0.05% Space Free | Partition Type: NTFS

Computer Name: SPEEDRACER531 | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/27 20:13:53 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Downloads\OTL.exe
PRC - [2012/03/23 15:09:38 | 014,749,544 | ---- | M] (GARMIN Corp.) -- C:\Program Files\Garmin\ANT Agent\ANT Agent.exe
PRC - [2012/03/22 20:14:48 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/03/21 21:17:10 | 000,795,600 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcupdate.exe
PRC - [2012/03/21 21:16:10 | 001,318,816 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2012/03/20 13:11:32 | 000,151,880 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2012/03/20 13:05:00 | 000,161,632 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2012/03/20 13:04:32 | 000,166,288 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2012/02/23 12:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/08/10 11:53:46 | 000,094,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2011/03/15 15:44:30 | 000,428,384 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
PRC - [2011/03/15 15:44:28 | 000,650,080 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
PRC - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/12/16 00:46:06 | 000,151,056 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\Core\mchost.exe
PRC - [2010/12/14 10:49:23 | 001,169,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/13 15:34:08 | 001,891,416 | ---- | M] (GARMIN Corp.) -- C:\Program Files\Garmin\Training Center\gStart.exe
PRC - [2008/01/17 07:22:20 | 004,907,008 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe
PRC - [2007/10/18 21:10:42 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2005/09/12 17:00:40 | 000,266,240 | ---- | M] (Philips) -- C:\Windows\System32\drivers\Tray900.exe
PRC - [2005/09/12 17:00:24 | 000,155,648 | ---- | M] (Philips) -- C:\Windows\System32\drivers\Phibtn.exe


========== Modules (No Company Name) ==========

MOD - [2012/04/14 12:46:07 | 008,797,344 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_2_20 2_233.dll
MOD - [2012/03/22 20:14:46 | 001,969,080 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/04/14 12:46:08 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpda teService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/22 19:29:08 | 000,361,976 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2012/03/20 13:11:32 | 000,151,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2012/03/20 13:05:00 | 000,161,632 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2012/03/20 13:04:32 | 000,166,288 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/08/10 11:53:46 | 000,094,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2011/03/15 15:44:30 | 000,428,384 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe -- (PMBDeviceInfoProvider)
SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/02/22 13:29:46 | 000,464,304 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2012/02/22 13:29:46 | 000,340,920 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2012/02/22 13:29:46 | 000,180,848 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2012/02/22 13:29:46 | 000,169,608 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2012/02/22 13:29:46 | 000,121,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2012/02/22 13:29:46 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2012/02/22 13:29:46 | 000,064,912 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2012/02/22 13:29:46 | 000,059,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2012/02/22 13:29:46 | 000,057,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/08/12 13:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
DRV - [2010/08/12 13:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2009/07/14 19:54:00 | 009,557,216 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/06 20:53:00 | 000,014,848 | ---- | M] (Silicon Laboratories) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DSI_SiUSBXp_3_1.sys -- (DSI_SiUSBXp_3_1)
DRV - [2007/08/09 18:12:30 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/04/23 14:44:10 | 001,347,584 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\camdrv41.sys -- (camdrv41)
DRV - [2006/11/02 03:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=Z133&ocid=zdh..._date=20111231
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CE 1B D5 D7 57 52 CA 01 [binary data]
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = about:blank
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 80 E6 37 B7 28 1C CD 01 [binary data]
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\..\SearchScopes\{87F926E4-71A8-4938-9BA2-04940FF050EA}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3854999024-166210282-1493934176-1001\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3.1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.3
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z133&form=ZGAADF&install_date=20111231&q ="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_20 2_233.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@virtools.com/3DviaPlayer: C:\Program Files\Virtools\3D Life Player\npvirtools.dll (Dassault Systèmes)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/09/22 21:44:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2011/11/10 16:05:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012/04/26 06:55:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/22 20:14:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/12 19:42:58 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensi ons\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/09/22 21:44:35 | 000,000,000 | ---D | M]

[2010/01/18 17:31:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions
[2012/04/26 20:07:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profi les\zwrf95hd.default\extensions
[2011/08/27 17:29:59 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profi les\zwrf95hd.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/04/29 09:55:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profi les\zwrf95hd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/31 17:41:12 | 000,001,945 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profi les\zwrf95hd.default\searchplugins\bing-zugo.xml
[2011/05/30 10:52:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/20 14:16:55 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/04/26 06:55:00 | 000,000,000 | ---D | M] (McAfee ScriptScan for Firefox) -- C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE
[2011/11/10 16:05:31 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2012/03/22 20:14:49 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2012/02/10 22:04:13 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/01 21:44:16 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2012/02/10 22:04:13 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:accepte dSuggestion}{google:originalQueryForSuggestion}sou rceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={la nguage}&q={searchTerms}
CHR - Extension: SiteAdvisor = C:\Users\Dad\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepao oicaho\3.31.137.7_0\

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (Somoto Toolbar) - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll File not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120424161059.dl l (McAfee, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Somoto Toolbar) - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Nikon Message Center 2] C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe (Nikon Corporation)
O4 - HKLM..\Run: [PhiBtn] C:\Windows\System32\drivers\Phibtn.exe (Philips)
O4 - HKLM..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe (Sony Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [TrayMin900] C:\Windows\System32\drivers\Tray900.exe (Philips)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3854999024-166210282-1493934176-1000..\Run: [ANT Agent] C:\Program Files\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.)
O4 - HKU\S-1-5-21-3854999024-166210282-1493934176-1000..\Run: [gStart] C:\Program Files\Garmin\Training Center\gStart.exe (GARMIN Corp.)
O4 - HKU\S-1-5-21-3854999024-166210282-1493934176-1000..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKU\S-1-5-21-3854999024-166210282-1493934176-1001..\Run: [ANT Agent] C:\Program Files\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.)
O4 - HKU\S-1-5-21-3854999024-166210282-1493934176-1001..\Run: [gStart] C:\Program Files\Garmin\Training Center\gStart.exe (GARMIN Corp.)
O4 - HKU\S-1-5-21-3854999024-166210282-1493934176-1001..\Run: [SmileboxTray] C:\Users\Mom\AppData\Roaming\Smilebox\SmileboxTray .exe (Smilebox, Inc.)
O4 - Startup: C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoControlPanel = 0
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{31389622-6E59-4984-AA20-A2E47F977B99}: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Mom\Pictures\John Thomas\John Thomas Soccer 9-2010\DSC_0337.JPG
O24 - Desktop BackupWallPaper: C:\Users\Mom\Pictures\John Thomas\John Thomas Soccer 9-2010\DSC_0337.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{fedddb6b-8cf0-11df-a459-001aa051367f}\Shell\AutoRun\command - "" = wscript.exe \SMRTNTKY\script.js
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/04/26 20:09:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012/04/12 20:49:08 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/04/12 20:49:07 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/04/12 20:49:06 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/04/12 20:49:05 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/04/12 20:49:05 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/04/12 20:49:05 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/04/12 20:47:25 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/04/12 20:47:25 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2012/04/03 19:11:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/04/03 19:10:21 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/04/02 19:32:37 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe

========== Files - Modified Within 30 Days ==========

[2012/04/27 20:10:30 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/27 20:10:29 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/27 20:10:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/27 13:15:39 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/26 20:49:32 | 000,003,680 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/26 20:49:32 | 000,003,680 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/26 20:09:02 | 000,001,737 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
[2012/04/26 06:49:31 | 000,371,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/04/24 16:03:11 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2012/04/21 13:45:32 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/21 09:51:31 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/21 09:51:31 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/14 12:46:08 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/04/14 12:46:08 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/04/14 07:04:06 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/04/11 11:24:26 | 000,000,020 | -H-- | M] () -- C:\ProgramData\PKP_DLdu.DAT
[2012/04/06 21:06:52 | 000,030,720 | ---- | M] () -- C:\Users\Dad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/04/03 19:11:55 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

========== Files Created - No Company Name ==========

[2012/04/03 19:11:55 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/04/02 19:32:38 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/02/01 17:36:40 | 000,000,680 | ---- | C] () -- C:\Users\Dad\AppData\Local\d3d9caps.dat
[2012/01/01 09:27:53 | 000,000,000 | ---- | C] () -- C:\ProgramData\Documentation
[2011/12/29 11:53:50 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Filters
[2011/12/29 11:53:50 | 000,000,268 | RH-- | C] () -- C:\Users\Dad\AppData\Roaming\External Build System
[2011/12/29 11:53:50 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLes.DAT
[2011/12/29 11:53:50 | 000,000,012 | RH-- | C] () -- C:\ProgramData\Galaxy Swirl
[2011/12/29 11:52:12 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Flags
[2011/12/29 11:52:12 | 000,000,268 | RH-- | C] () -- C:\Users\Dad\AppData\Roaming\File Templates
[2011/12/29 11:52:12 | 000,000,012 | RH-- | C] () -- C:\ProgramData\Generic
[2011/12/29 11:52:11 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Filter
[2011/12/29 11:52:11 | 000,000,268 | RH-- | C] () -- C:\Users\Dad\AppData\Roaming\Extensions
[2011/12/29 11:52:11 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLev.DAT
[2011/12/29 11:52:11 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLet.DAT
[2011/12/29 11:52:11 | 000,000,012 | RH-- | C] () -- C:\ProgramData\Funk Animals
[2011/08/13 05:43:02 | 000,283,489 | ---- | C] () -- C:\Users\Dad\AppData\Local\census.cache
[2011/08/13 05:42:15 | 000,170,674 | ---- | C] () -- C:\Users\Dad\AppData\Local\ars.cache
[2010/09/28 19:41:03 | 000,077,374 | ---- | C] () -- C:\Windows\hpqins05.dat
[2010/09/22 21:26:35 | 000,186,577 | ---- | C] () -- C:\Windows\hpwins23.dat
[2010/08/12 19:57:14 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/07/16 09:05:00 | 000,004,096 | -H-- | C] () -- C:\Users\Dad\AppData\Local\keyfile3.drm

< End of report >
Reply With Quote
  #4  
Old April 28th, 2012, 02:45 AM
speedracer's Avatar
speedracer speedracer is offline
Senior Member
 
Join Date: Feb 2003
O/S: Windows XP Pro
Location: Charlotte, NC
Age: 44
Posts: 193
Here's the Extras log:

OTL Extras logfile created on: 4/27/2012 8:19:01 PM - Run 1
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Dad\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.94 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 46.92% Memory free
6.09 Gb Paging File | 4.41 Gb Available in Paging File | 72.54% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.79 Gb Total Space | 40.99 Gb Free Space | 18.40% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 0.00 Gb Free Space | 0.05% Space Free | Partition Type: NTFS

Computer Name: SPEEDRACER531 | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3854999024-166210282-1493934176-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3854999024-166210282-1493934176-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\PublicPr ofile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Firewall Rules]
"{37913B38-FD46-4628-8666-8515758A6ED4}" = lport=139 | protocol=6 | dir=in | app=system |
"{3B40AE85-CA86-4E97-8130-B77F18DABB74}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{6012D214-1E1E-40EE-8E2E-A8A0419E3B2F}" = rport=137 | protocol=17 | dir=out | app=system |
"{6719E16F-13B4-4747-9B36-5DE50C370EF3}" = lport=137 | protocol=17 | dir=in | app=system |
"{6BA4879E-10A7-467D-9574-81C4E24871FD}" = lport=445 | protocol=6 | dir=in | app=system |
"{7BF8B991-7232-4132-BD0D-99F0974C15E4}" = rport=138 | protocol=17 | dir=out | app=system |
"{88C917FE-717C-4662-B6C6-9E5F8F4AA983}" = lport=138 | protocol=17 | dir=in | app=system |
"{9AECCF52-C14A-4E6B-B5ED-20068E104B54}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{A1D7D9FB-0B85-4FB6-9250-CA441DF129B6}" = rport=139 | protocol=6 | dir=out | app=system |
"{ACECFA9F-207E-4AF2-B728-54687DCBF095}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{AEE39355-D447-4DCB-875F-6F0004E04B05}" = rport=445 | protocol=6 | dir=out | app=system |
"{DC7F59C0-E999-453B-8F2B-2E6A0C977609}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Firewall Rules]
"{01CFC115-7A5C-4EDA-A5E2-DF11F037AD18}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{0DBD69BD-A451-49F4-9265-529B2D361BC8}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
"{172C2BBF-95B7-476F-95D6-C69A1BB2A955}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{1E78913B-5BFC-4990-8CFA-F176AEF0CB1A}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe |
"{2214198E-2554-4009-8E6C-DDE3268282C3}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{36AEC1E5-D141-4AAC-8060-CFA0967E20D0}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe |
"{46921EC7-1563-4414-9520-422AB5AADEA3}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{535557E9-7DD7-41CD-80FD-2910F91C9E87}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{5674F583-947F-4C65-9656-5D646A8ED3C4}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{634B5DA1-0412-4965-8C9E-FEFACEF9364C}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{66CAF122-9792-4EC9-A72E-9D5A3ADBEB73}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{67B9C1DF-0A86-4C8C-8B96-77BD10DFD78B}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{7FDAAB8C-E175-4872-83DC-286C44775A8E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxm08.exe |
"{8ECE04E1-789C-4197-80D6-89E5C7321ADA}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{92D4A656-CC1E-4B6E-ABED-33F1453B665D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{957E249F-D315-44E2-8EB2-5FA6ED9C74B9}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{A060DCD4-972E-4A89-AA82-8F20C27658A8}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
"{A386CDCB-DCAE-4252-B5D9-98193A46AB22}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{ABD06D08-8EFD-421F-BABF-C17359FC70B4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{AE0871EE-A4A7-4936-960E-D53B5D97E1B1}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{B62CB95E-15E4-456D-AC35-5E398D4D7DD7}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposfx08.exe |
"{C5E13CFE-DD54-469A-A39C-F1E871FFFA05}" = dir=in | app=e:\setup\hpznui01.exe |
"{C81D26B0-34D3-4CE6-B7EA-E379A9974A89}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{D122EFA1-D379-4679-A48E-B048BEDA9E4B}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{D5879001-05CE-4FF8-98B2-777751E779D3}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{EB40DB3C-FD01-4B72-8218-09F73550491C}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{ECE30FDB-E578-47CE-9D17-7E5B21CD003C}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{F2C0A5E6-FBB6-428E-8D70-0EDEE7F673BE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpzwiz01.exe |
"{F5145593-10AE-4041-8FA1-EF3568273CC1}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall]
"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status
"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{38DAE5F5-EC70-4aa5-801B-D11CA0A33B41}" = BPDSoftware
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{46E046C9-390D-4BF2-888E-EC82DB6B24CB}" = Garmin Training Center
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 5.0
"{51E13E14-F72A-4C97-8FD7-04322D995E2F}" = Philips SPC 900NC PC Camera
"{57F60D52-630B-43C5-BD20-176F5CD4EED6}" = bpd_scan
"{5CAD3393-EEC0-44CE-9F93-BCAA365B77FB}" = Nikon Movie Editor
"{612F4E20-3661-4D44-AD79-823F1B613FB3}" = HP Update
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{676981B7-A2D9-49D0-9F4C-03018F131DA9}" = DocProc
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B4AD1A9-E73A-4184-9D6B-072F8A3C5EBA}" = VoiceOver Kit
"{6CC080F1-2E00-41D5-BE47-A3BC784E9DFB}" = BPDSoftware_Ini
"{6EED4269-588D-45b8-A80C-26A9CA62EE4E}" = HPSSupply
"{710BF966-43C8-4216-A8EC-BC4E169FF7C1}" = MobileMe Control Panel
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7D542452-84EB-47C0-97BA-735C523AB555}" = Garmin Training Center
"{800E784D-53E3-4948-B491-9E7FA5EACBDC}" = SmartWebPrinting
"{83C57C58-FDD7-4d86-BFCC-9D31CC4EFA71}" = 6500_E709n
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9129B46A-51F0-431b-9838-DF7272F3204E}" = ProductContext
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CCCFD9C-248F-47FE-9496-1680E3E5C163}" = Scan
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{B014EE44-9197-4513-9613-71E6EB1B514E}" = Nikon Message Center 2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6A98E5F-D6A7-46FB-9E9D-1F7BF443491C}" = PMB
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B6D17D97-44CE-402E-BBF2-B38492CBFED7}" = Garmin ANT Agent
"{C29C1940-CB85-4F3B-906C-33FEE0E67103}" = DocMgr
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0197E45-D866-44D0-90AF-529F28F15ABA}" = Skype™ 5.7
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{DA7DF8E2-4B8F-4286-97FE-DE3FFFE9B728}" = iCloud
"{DE13432E-F0C1-4842-A5BA-CC997DA72A70}" = 6500_E709_eDocs
"{E64C137C-D0B7-467A-B47F-460AAB30F0A3}" = ViewNX 2
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EA57A1B9-0DD2-44DD-9B70-64E8DA553F6F}" = Philips VLounge
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF9E56EE-0243-4BAD-88F4-5E7508AA7D96}" = Destination Component
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F185B35D-38E5-4D88-B275-15C8C7FC4357}" = 6500_E709_Help
"{F2AF3E5D-9697-485C-A5AC-E2B9468C446A}" = Safari
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery
"{FA0F0A01-4631-4161-A6C2-948BF694382E}" = HP Officejet 6500 E709 Series
"24DA573F901348FFDFF7717497830D45BE0C362E" = Windows Driver Package - Dynastream Innovations (libusb0) LibUsbDevices (07/07/2009 1.12.2)
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B3204 85DF8CE.1" = Acrobat.com
"ENTERPRISER" = Microsoft Office Enterprise 2007
"Google Chrome" = Google Chrome
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 12.0
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 12.0
"HPOCR" = OCR Software by I.R.I.S. 12.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"MSC" = McAfee Internet Security
"NVIDIA Drivers" = NVIDIA Drivers
"Shop for HP Supplies" = Shop for HP Supplies

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3854999024-166210282-1493934176-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall]
"Smilebox" = Smilebox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/26/2012 9:02:34 PM | Computer Name = Speedracer531 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1092

Error - 1/26/2012 9:02:34 PM | Computer Name = Speedracer531 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1092

Error - 1/28/2012 6:24:09 AM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

Error - 1/28/2012 6:24:09 AM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

Error - 1/28/2012 7:56:01 AM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

Error - 1/28/2012 7:56:01 AM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

Error - 1/28/2012 7:56:14 AM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

Error - 1/28/2012 7:56:14 AM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

Error - 1/28/2012 1:30:39 PM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

Error - 1/28/2012 1:30:39 PM | Computer Name = Speedracer531 | Source = Windows Search Service | ID = 3013
Description =

[ OSession Events ]
Error - 3/25/2010 9:23:49 AM | Computer Name = Speedracer531 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 1733
seconds with 1140 seconds of active time. This session ended with a crash.

Error - 3/25/2010 9:24:10 AM | Computer Name = Speedracer531 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 13
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/8/2011 4:08:37 AM | Computer Name = Speedracer531 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 3404
seconds with 840 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/25/2012 8:17:36 PM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7001
Description =

Error - 4/25/2012 8:17:36 PM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7026
Description =

Error - 4/25/2012 8:17:36 PM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7001
Description =

Error - 4/25/2012 8:17:36 PM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7001
Description =

Error - 4/25/2012 8:17:36 PM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7001
Description =

Error - 4/25/2012 8:17:36 PM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7001
Description =

Error - 4/25/2012 8:20:43 PM | Computer Name = Speedracer531 | Source = DCOM | ID = 10005
Description =

Error - 4/26/2012 6:51:01 AM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7000
Description =

Error - 4/26/2012 6:51:01 AM | Computer Name = Speedracer531 | Source = Service Control Manager | ID = 7026
Description =

Error - 4/26/2012 6:34:07 PM | Computer Name = Speedracer531 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.103 for the Network Card with network
address 001AA051367F has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >
Reply With Quote
  #5  
Old April 28th, 2012, 02:48 AM
speedracer's Avatar
speedracer speedracer is offline
Senior Member
 
Join Date: Feb 2003
O/S: Windows XP Pro
Location: Charlotte, NC
Age: 44
Posts: 193
GMR log part I:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-27 21:24:46
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000057 Hitachi_ rev.V5DO
Running: 84zkuie7.exe; Driver: C:\Users\Dad\AppData\Local\Temp\kfloruod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8304B5A8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8304B5D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8304B5BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8304B594]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8263B982 5 Bytes JMP 8304B598 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82801153 5 Bytes JMP 8304B5D6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 828208AA 7 Bytes JMP 8304B5AC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82820B6D 5 Bytes JMP 8304B5C2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[260] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00D30FEF
.text C:\Windows\system32\svchost.exe[260] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00D30FC3
.text C:\Windows\system32\svchost.exe[260] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00D30FD4
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00D100A7
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00D1008C
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00D100E4
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00D100D3
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00D10F72
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00D10000
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00D1001B
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00D10F61
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00D10F83
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00D10036
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00D10F94
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00D10FA5
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00D10071
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00D10109
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00D10FCA
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00D10FEF
.text C:\Windows\system32\svchost.exe[260] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00D100B8
.text C:\Windows\system32\svchost.exe[260] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00D9002C
.text C:\Windows\system32\svchost.exe[260] msvcrt.dll!system 76DB805B 5 Bytes JMP 00D90011
.text C:\Windows\system32\svchost.exe[260] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00D90FC6
.text C:\Windows\system32\svchost.exe[260] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00D90000
.text C:\Windows\system32\svchost.exe[260] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00D90FA1
.text C:\Windows\system32\svchost.exe[260] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 00D90FD7
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExA 75A239AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00760FAF
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00760036
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00760FEF
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00760051
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 0076006C
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00760FD4
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00760000
.text C:\Windows\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00760025
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[804] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 69399A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[804] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 693999A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 001C0FCA
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 001A00D0
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 001A00BF
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 001A00FF
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 001A0F68
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 001A0FA8
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 001A002C
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 001A0051
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 001A00AE
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 001A0FB9
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 001A0FCA
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 001A006C
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 001A009D
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 001A0F57
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 001A001B
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 001A0000
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 001A0F79
.text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 001B0F92
.text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!system 76DB805B 5 Bytes JMP 001B0FB7
.text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 001B0027
.text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_open 76DBD116 5 Bytes JMP 001B000C
.text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 001B0FD2
.text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 001B0FE3
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00070014
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00070F83
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00070F72
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00070025
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00070FAF
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00070FCA
.text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00070F9E
.text C:\Windows\system32\svchost.exe[1016] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00130FEF
.text C:\Windows\system32\svchost.exe[1224] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00CB0000
.text C:\Windows\system32\svchost.exe[1224] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00CB0022
.text C:\Windows\system32\svchost.exe[1224] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00CB0011
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00C90F52
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00C90098
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00C90F12
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00C90F37
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00C9006C
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00C90FCA
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00C90FB9
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00C90F6D
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00C90051
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00C90040
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00C90F9E
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00C90025
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00C90087
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00C90F01
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00C90FE5
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00C90000
.text C:\Windows\system32\svchost.exe[1224] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00C900B3
.text C:\Windows\system32\svchost.exe[1224] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00CA0047
.text C:\Windows\system32\svchost.exe[1224] msvcrt.dll!system 76DB805B 5 Bytes JMP 00CA0FB2
.text C:\Windows\system32\svchost.exe[1224] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00CA0011
.text C:\Windows\system32\svchost.exe[1224] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00CA0000
.text C:\Windows\system32\svchost.exe[1224] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00CA0022
.text C:\Windows\system32\svchost.exe[1224] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 00CA0FD7
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00C60036
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00C60FAF
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00C6000A
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00C60F94
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00C6005B
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00C6001B
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00C60FE5
.text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00C60FCA
.text C:\Windows\system32\svchost.exe[1224] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00C70FEF
.text C:\Windows\System32\svchost.exe[1344] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 000E0FEF
.text C:\Windows\System32\svchost.exe[1344] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 000E0FC3
.text C:\Windows\System32\svchost.exe[1344] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 000E0FD4
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 000C0F3F
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 000C0F50
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 000C0F1A
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 000C00B1
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 000C0F7C
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 000C0FD4
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 000C0FC3
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 000C0071
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 000C004A
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 000C0F97
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 000C0039
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 000C0FA8
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 000C0F6B
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 000C00CC
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 000C000A
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 000C0FEF
.text C:\Windows\System32\svchost.exe[1344] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 000C00A0
.text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 000D0F9C
.text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!system 76DB805B 5 Bytes JMP 000D0027
.text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 000D0FD2
.text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_open 76DBD116 5 Bytes JMP 000D0FEF
.text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 000D0FB7
.text C:\Windows\System32\svchost.exe[1344] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 000D000C
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 000B0062
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 000B0036
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 000B0FEF
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 000B0047
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 000B007D
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 000B0FD4
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 000B000A
.text C:\Windows\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 000B0025
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3096] USER32.dll!SetWindowLongA 75DEE7CD 5 Bytes JMP 5E2B75F7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3096] USER32.dll!SetWindowLongW 75DF13B4 5 Bytes JMP 5E2B7589 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3096] USER32.dll!GetWindowInfo 75DF428E 5 Bytes JMP 5E08FE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3096] USER32.dll!TrackPopupMenu 75E014F3 5 Bytes JMP 5E0903C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3396] ntdll.dll!LdrLoadDll 76F09378 5 Bytes JMP 5DF19720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3396] kernel32.dll!MapViewOfFile 76086B10 5 Bytes JMP 5E14E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3396] kernel32.dll!VirtualAlloc 7608AF75 5 Bytes JMP 5E14E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3396] USER32.dll!GetWindowInfo 75DF428E 5 Bytes JMP 5E097657 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3396] GDI32.dll!CreateDIBSection 75D77461 5 Bytes JMP 5E14E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\Explorer.EXE[3800] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00040000
.text C:\Windows\Explorer.EXE[3800] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00040022
.text C:\Windows\Explorer.EXE[3800] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00040011
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00010096
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00010F50
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00010F21
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 000100B8
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00010F7C
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00010FD4
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00010FC3
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 0001007B
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00010056
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00010F97
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 0001002F
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00010FB2
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00010F61
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00010F10
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00010FE5
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[3800] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 000100A7
.text C:\Windows\Explorer.EXE[3800]
Reply With Quote
  #6  
Old April 28th, 2012, 02:52 AM
speedracer's Avatar
speedracer speedracer is offline
Senior Member
 
Join Date: Feb 2003
O/S: Windows XP Pro
Location: Charlotte, NC
Age: 44
Posts: 193
GMR part II:

ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00060040
.text C:\Windows\Explorer.EXE[3800] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 0006001E
.text C:\Windows\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[3800] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 0006002F
.text C:\Windows\Explorer.EXE[3800] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00060F8D
.text C:\Windows\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00060FC3
.text C:\Windows\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00060FD4
.text C:\Windows\Explorer.EXE[3800] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00060FB2
.text C:\Windows\Explorer.EXE[3800] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 0007007A
.text C:\Windows\Explorer.EXE[3800] msvcrt.dll!system 76DB805B 5 Bytes JMP 00070FEF
.text C:\Windows\Explorer.EXE[3800] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 0007003A
.text C:\Windows\Explorer.EXE[3800] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00070000
.text C:\Windows\Explorer.EXE[3800] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00070055
.text C:\Windows\Explorer.EXE[3800] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 0007001D
.text C:\Windows\Explorer.EXE[3800] WININET.dll!InternetCloseHandle 7702C704 5 Bytes JMP 6EB743D0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[3800] WININET.dll!InternetReadFile 7702F978 5 Bytes JMP 6EB744F0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[3800] WININET.dll!InternetOpenA 7703D688 5 Bytes JMP 008E0000
.text C:\Windows\Explorer.EXE[3800] WININET.dll!InternetOpenUrlA 7704E296 5 Bytes JMP 008E0FCA
.text C:\Windows\Explorer.EXE[3800] WININET.dll!InternetOpenW 770572A6 5 Bytes JMP 008E0FDB
.text C:\Windows\Explorer.EXE[3800] WININET.dll!InternetConnectA 7707B75E 5 Bytes JMP 6EB74790 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[3800] WININET.dll!HttpOpenRequestA 7707B841 5 Bytes JMP 6EB74690 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[3800] WININET.dll!InternetOpenUrlW 770AD9BA 5 Bytes JMP 008E0025
.text C:\Windows\Explorer.EXE[3800] WS2_32.dll!socket 75B636D1 5 Bytes JMP 033B0000
.text C:\Windows\system32\svchost.exe[4340] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00D00FE5
.text C:\Windows\system32\svchost.exe[4340] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00D00FB9
.text C:\Windows\system32\svchost.exe[4340] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00D00FD4
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00CE0F3C
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00CE0082
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00CE0EF5
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00CE0F1A
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00CE0042
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00CE0FCA
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00CE0FB9
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00CE0067
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00CE0F68
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00CE0F94
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00CE0F79
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00CE001B
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00CE0F4D
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00CE00A7
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00CE0000
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00CE0FEF
.text C:\Windows\system32\svchost.exe[4340] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00CE0F2B
.text C:\Windows\system32\svchost.exe[4340] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00CF0FB0
.text C:\Windows\system32\svchost.exe[4340] msvcrt.dll!system 76DB805B 5 Bytes JMP 00CF0FC1
.text C:\Windows\system32\svchost.exe[4340] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00CF0FD2
.text C:\Windows\system32\svchost.exe[4340] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00CF0000
.text C:\Windows\system32\svchost.exe[4340] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00CF0027
.text C:\Windows\system32\svchost.exe[4340] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 00CF0FE3
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00730FCA
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 0073005B
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00730FEF
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 0073006C
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00730FB9
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00730025
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00730014
.text C:\Windows\system32\svchost.exe[4340] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00730040
.text C:\Windows\system32\svchost.exe[4340] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00770000
.text C:\Windows\system32\svchost.exe[4632] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00040000
.text C:\Windows\system32\svchost.exe[4632] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00040036
.text C:\Windows\system32\svchost.exe[4632] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00040025
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00010F6A
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 000100BA
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00010F3E
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 000100D5
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 0001007D
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00010036
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00010FE5
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 0001009F
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 0001006C
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00010FAF
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 0001005B
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 0001008E
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 000100F0
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 0001001B
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00010000
.text C:\Windows\system32\svchost.exe[4632] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00010F59
.text C:\Windows\system32\svchost.exe[4632] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00060044
.text C:\Windows\system32\svchost.exe[4632] msvcrt.dll!system 76DB805B 5 Bytes JMP 00060033
.text C:\Windows\system32\svchost.exe[4632] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00060FDE
.text C:\Windows\system32\svchost.exe[4632] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[4632] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00060FC3
.text C:\Windows\system32\svchost.exe[4632] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 0006000C
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00070051
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00070FC0
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00070FAF
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00070076
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 0007001B
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 0007000A
.text C:\Windows\system32\svchost.exe[4632] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00070036
.text C:\Windows\system32\svchost.exe[4632] WS2_32.dll!socket 75B636D1 5 Bytes JMP 0008000A
.text C:\Windows\system32\services.exe[4960] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 0085000A
.text C:\Windows\system32\services.exe[4960] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00850FD4
.text C:\Windows\system32\services.exe[4960] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00850FE5
.text C:\Windows\system32\services.exe[4960] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 002B0F2B
.text C:\Windows\system32\services.exe[4960] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 002B0071
.text C:\Windows\system32\services.exe[4960] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 002B0EF8
.text C:\Windows\system32\services.exe[4960] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 002B0F09
.text C:\Windows\system32\services.exe[4960] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 002B0F5E
.text C:\Windows\system32\services.exe[4960] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 002B0FB9
.text C:\Windows\system32\services.exe[4960] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 002B0F9E
.text C:\Windows\system32\services.exe[4960] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 002B0F3C
.text C:\Windows\system32\services.exe[4960] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 002B0038
.text C:\Windows\system32\services.exe[4960] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 002B000A
.text C:\Windows\system32\services.exe[4960] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 002B001B
.text C:\Windows\system32\services.exe[4960] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 002B0F83
.text C:\Windows\system32\services.exe[4960] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 002B0F4D
.text C:\Windows\system32\services.exe[4960] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 002B00A0
.text C:\Windows\system32\services.exe[4960] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 002B0FD4
.text C:\Windows\system32\services.exe[4960] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 002B0FEF
.text C:\Windows\system32\services.exe[4960] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 002B0F1A
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00860057
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00860032
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00860FEF
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00860FAB
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00860068
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00860FCD
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00860FDE
.text C:\Windows\system32\services.exe[4960] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00860FBC
.text C:\Windows\system32\services.exe[4960] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 009D003F
.text C:\Windows\system32\services.exe[4960] msvcrt.dll!system 76DB805B 5 Bytes JMP 009D002E
.text C:\Windows\system32\services.exe[4960] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 009D000C
.text C:\Windows\system32\services.exe[4960] msvcrt.dll!_open 76DBD116 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\services.exe[4960] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 009D001D
.text C:\Windows\system32\services.exe[4960] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 009D0FD2
.text C:\Windows\system32\services.exe[4960] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00870FE5
.text C:\Windows\system32\lsass.exe[4972] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00170FEF
.text C:\Windows\system32\lsass.exe[4972] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 0017001B
.text C:\Windows\system32\lsass.exe[4972] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 0017000A
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 0016009D
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00160F57
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 001600EE
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 001600DD
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 0016005D
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00160FDB
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 0016002C
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00160F68
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00160F83
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00160FAF
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00160F94
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00160FC0
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 0016006E
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00160109
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 0016001B
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 0016000A
.text C:\Windows\system32\lsass.exe[4972] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 001600C2
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00180087
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00180062
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00180000
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00180FDB
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00180FC0
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00180040
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00180025
.text C:\Windows\system32\lsass.exe[4972] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00180051
.text C:\Windows\system32\lsass.exe[4972] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 001F0031
.text C:\Windows\system32\lsass.exe[4972] msvcrt.dll!system 76DB805B 5 Bytes JMP 001F0F9C
.text C:\Windows\system32\lsass.exe[4972] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 001F000C
.text C:\Windows\system32\lsass.exe[4972] msvcrt.dll!_open 76DBD116 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\lsass.exe[4972] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 001F0FB7
.text C:\Windows\system32\lsass.exe[4972] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 001F0FD2
.text C:\Windows\system32\lsass.exe[4972] WS2_32.dll!socket 75B636D1 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[5144] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00270FEF
.text C:\Windows\system32\svchost.exe[5144] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00270014
.text C:\Windows\system32\svchost.exe[5144] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00270FD4
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00260F32
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00260F4D
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 002600B1
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00260F10
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 0026005D
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00260011
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00260FCA
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00260F5E
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00260040
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00260F9E
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00260F8D
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00260FB9
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 0026006E
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00260EFF
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00260000
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00260FE5
.text C:\Windows\system32\svchost.exe[5144] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00260F21
.text C:\Windows\system32\svchost.exe[5144] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00760038
.text C:\Windows\system32\svchost.exe[5144] msvcrt.dll!system 76DB805B 5 Bytes JMP 00760FB7
.text C:\Windows\system32\svchost.exe[5144] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00760FE3
.text C:\Windows\system32\svchost.exe[5144] msvcrt.dll!_open 76DBD116 5 Bytes JMP 0076000C
.text C:\Windows\system32\svchost.exe[5144] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00760FD2
.text C:\Windows\system32\svchost.exe[5144] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 0076001D
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00700051
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00700040
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 0070000A
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00700FB9
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00700F94
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00700FD4
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00700FE5
.text C:\Windows\system32\svchost.exe[5144] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00700025
.text C:\Windows\system32\svchost.exe[5144] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00750FEF
.text C:\Windows\system32\svchost.exe[5220] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[5220] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 001D0FDE
.text C:\Windows\system32\svchost.exe[5220] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 001D0014
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 001C0F54
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 001C009A
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 001C00C6
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 001C00AB
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 001C005D
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 001C0FB9
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 001C0089
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 001C0F83
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 001C0036
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 001C0F94
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 001C001B
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 001C0078
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 001C00E1
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 001C0FCA
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\svchost.exe[5220] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 001C0F2F
.text C:\Windows\system32\svchost.exe[5220] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 002C0049
.text C:\Windows\system32\svchost.exe[5220] msvcrt.dll!system 76DB805B 5 Bytes JMP 002C0038
.text C:\Windows\system32\svchost.exe[5220] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 002C0FD2
.text C:\Windows\system32\svchost.exe[5220] msvcrt.dll!_open 76DBD116 5 Bytes JMP 002C0FEF
.text C:\Windows\system32\svchost.exe[5220] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 002C0027
.text C:\Windows\system32\svchost.exe[5220] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 002C000C
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00220080
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00220FDE
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 0022006F
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00220091
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00220025
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00220FEF
.text C:\Windows\system32\svchost.exe[5220] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00220040
.text C:\Windows\system32\svchost.exe[5220] WS2_32.dll!socket 75B636D1 5 Bytes JMP 002B0FEF
.text C:\Windows\System32\svchost.exe[5352] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 002F0FE5
.text C:\Windows\System32\svchost.exe[5352] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 002F0011
.text C:\Windows\System32\svchost.exe[5352] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 002F0000
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 0015009A
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00150089
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00150F1E
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00150F2F
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00150053
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 0015001B
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00150FCA
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00150F54
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00150042
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00150F94
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00150F83
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00150FB9
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00150064
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 001500D0
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00150000
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00150FEF
.text C:\Windows\System32\svchost.exe[5352] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 001500AB
.text C:\Windows\System32\svchost.exe[5352] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 008B0FB2
.text C:\Windows\System32\svchost.exe[5352] msvcrt.dll!system 76DB805B 5 Bytes JMP 008B0033
.text C:\Windows\System32\svchost.exe[5352] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 008B0FDE
.text C:\Windows\System32\svchost.exe[5352] msvcrt.dll!_open 76DBD116 5 Bytes JMP 008B0FEF
.text C:\Windows\System32\svchost.exe[5352] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 008B0FC3
.text C:\Windows\System32\svchost.exe[5352] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 008B000C
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00300040
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00300FA8
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00300FEF
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00300025
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00300F8D
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00300014
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00300FDE
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 3 Bytes JMP 00300FC3
.text C:\Windows\System32\svchost.exe[5352] ADVAPI32.dll!RegOpenKeyExW + 4 75A47BA5 1 Byte [8A]
.text C:\Windows\System32\svchost.exe[5352] WS2_32.dll!socket 75B636D1 5 Bytes JMP 008A0000
.text C:\Windows\System32\svchost.exe[5384] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 01610000
.text C:\Windows\System32\svchost.exe[5384] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 01610FDB
.text C:\Windows\System32\svchost.exe[5384] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 01610011
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00F70F54
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00F70F6F
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00F70F43
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00F700D0
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00F7009A
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00F70011
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00F70022
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00F70F8A
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00F70073
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00F70062
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00F70FC0
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00F7003D
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00F70FA5
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00F70F28
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00F70000
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00F70FEF
.text C:\Windows\System32\svchost.exe[5384] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00F700BF
.text C:\Windows\System32\svchost.exe[5384] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 01680027
.text C:\Windows\System32\svchost.exe[5384] msvcrt.dll!system 76DB805B 5 Bytes JMP 01680016
.text C:\Windows\System32\svchost.exe[5384] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 01680FC1
.text C:\Windows\System32\svchost.exe[5384] msvcrt.dll!_open 76DBD116 5 Bytes JMP 01680FEF
.text C:\Windows\System32\svchost.exe[5384] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 01680FA6
.text C:\Windows\System32\svchost.exe[5384] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 01680FD2
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 01620F8A
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 0162002C
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 01620FEF
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 01620F9B
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 01620F79
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 0162001B
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 0162000A
.text C:\Windows\System32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 01620FCA
.text C:\Windows\System32\svchost.exe[5384] WS2_32.dll!socket 75B636D1 5 Bytes JMP 01670000
.text C:\Windows\system32\svchost.exe[5404] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00DF0000
.text C:\Windows\system32\svchost.exe[5404] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00DF0022
.text C:\Windows\system32\svchost.exe[5404] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00DF0011
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00DE0F35
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00DE0F46
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00DE00AA
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00DE0F13
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00DE0F72
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00DE0FCA
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00DE001B
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00DE0F57
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00DE0F83
Reply With Quote
  #7  
Old April 28th, 2012, 02:53 AM
speedracer's Avatar
speedracer speedracer is offline
Senior Member
 
Join Date: Feb 2003
O/S: Windows XP Pro
Location: Charlotte, NC
Age: 44
Posts: 193
GMR part III:

.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00DE0FAF
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00DE0F94
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00DE002C
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00DE0071
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00DE0F02
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00DE0FE5
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00DE0000
.text C:\Windows\system32\svchost.exe[5404] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00DE0F24
.text C:\Windows\system32\svchost.exe[5404] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 01060F95
.text C:\Windows\system32\svchost.exe[5404] msvcrt.dll!system 76DB805B 5 Bytes JMP 01060020
.text C:\Windows\system32\svchost.exe[5404] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 01060FC1
.text C:\Windows\system32\svchost.exe[5404] msvcrt.dll!_open 76DBD116 5 Bytes JMP 01060FE3
.text C:\Windows\system32\svchost.exe[5404] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 01060FB0
.text C:\Windows\system32\svchost.exe[5404] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 01060FD2
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 01000F8D
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 01000039
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 01000FEF
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 01000FA8
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 01000054
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 01000FD4
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 01000014
.text C:\Windows\system32\svchost.exe[5404] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 01000FC3
.text C:\Windows\system32\svchost.exe[5404] WS2_32.dll!socket 75B636D1 5 Bytes JMP 01010000
.text C:\Windows\system32\svchost.exe[5404] WININET.dll!InternetOpenA 7703D688 5 Bytes JMP 00170000
.text C:\Windows\system32\svchost.exe[5404] WININET.dll!InternetOpenUrlA 7704E296 5 Bytes JMP 00170FDB
.text C:\Windows\system32\svchost.exe[5404] WININET.dll!InternetOpenW 770572A6 5 Bytes JMP 00170011
.text C:\Windows\system32\svchost.exe[5404] WININET.dll!InternetOpenUrlW 770AD9BA 5 Bytes JMP 00170FB6
.text C:\Windows\system32\svchost.exe[5432] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00040000
.text C:\Windows\system32\svchost.exe[5432] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00040FDB
.text C:\Windows\system32\svchost.exe[5432] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00040011
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00010F37
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 0001007D
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00010F08
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 0001009F
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00010047
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00010014
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00010FC3
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00010062
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00010036
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00010F83
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00010FA8
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00010F52
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 000100C4
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[5432] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 0001008E
.text C:\Windows\system32\svchost.exe[5432] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00060056
.text C:\Windows\system32\svchost.exe[5432] msvcrt.dll!system 76DB805B 5 Bytes JMP 00060031
.text C:\Windows\system32\svchost.exe[5432] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 0006000C
.text C:\Windows\system32\svchost.exe[5432] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00060FE3
.text C:\Windows\system32\svchost.exe[5432] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00060FC1
.text C:\Windows\system32\svchost.exe[5432] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 00060FD2
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00070062
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 0007002C
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00070047
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00070FA5
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 0007001B
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00070FDB
.text C:\Windows\system32\svchost.exe[5432] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00070FCA
.text C:\Windows\system32\svchost.exe[5432] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00130FEF
.text C:\Windows\system32\svchost.exe[5508] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00090000
.text C:\Windows\system32\svchost.exe[5508] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00090022
.text C:\Windows\system32\svchost.exe[5508] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00090011
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00080F54
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00080F65
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00080F39
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 000800D0
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 0008007F
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00080036
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00080047
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00080F8A
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00080FA5
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00080FCA
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00080062
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00080FE5
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 0008009A
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00080F1E
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00080025
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 0008000A
.text C:\Windows\system32\svchost.exe[5508] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 000800BF
.text C:\Windows\system32\svchost.exe[5508] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 002A0F9A
.text C:\Windows\system32\svchost.exe[5508] msvcrt.dll!system 76DB805B 5 Bytes JMP 002A0025
.text C:\Windows\system32\svchost.exe[5508] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 002A000A
.text C:\Windows\system32\svchost.exe[5508] msvcrt.dll!_open 76DBD116 5 Bytes JMP 002A0FE3
.text C:\Windows\system32\svchost.exe[5508] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 002A0FAB
.text C:\Windows\system32\svchost.exe[5508] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 002A0FC6
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00200F83
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00200025
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00200FE5
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00200F9E
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00200040
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00200FB9
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00200FD4
.text C:\Windows\system32\svchost.exe[5508] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00200014
.text C:\Windows\system32\svchost.exe[5508] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00290000
.text C:\Windows\system32\svchost.exe[5604] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 008C0000
.text C:\Windows\system32\svchost.exe[5604] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 008C001B
.text C:\Windows\system32\svchost.exe[5604] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 008C0FE5
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00080F3F
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00080F50
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00080F10
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 000800B1
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00080F72
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00080025
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00080FD4
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00080071
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00080F8D
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00080FB2
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 0008004A
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00080FC3
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00080F61
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 000800C2
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 0008000A
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00080FEF
.text C:\Windows\system32\svchost.exe[5604] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 000800A0
.text C:\Windows\system32\svchost.exe[5604] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00930F9C
.text C:\Windows\system32\svchost.exe[5604] msvcrt.dll!system 76DB805B 5 Bytes JMP 00930FB7
.text C:\Windows\system32\svchost.exe[5604] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00930FD2
.text C:\Windows\system32\svchost.exe[5604] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00930000
.text C:\Windows\system32\svchost.exe[5604] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 0093001D
.text C:\Windows\system32\svchost.exe[5604] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 00930FE3
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 008D0F8D
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 008D0FA8
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 008D0FEF
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 008D0039
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 008D0F72
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 008D000A
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 008D0FD4
.text C:\Windows\system32\svchost.exe[5604] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 008D0FB9
.text C:\Windows\system32\svchost.exe[5604] WS2_32.dll!socket 75B636D1 5 Bytes JMP 008E0000
.text C:\Windows\system32\svchost.exe[5604] WININET.dll!InternetOpenA 7703D688 5 Bytes JMP 0094000A
.text C:\Windows\system32\svchost.exe[5604] WININET.dll!InternetOpenUrlA 7704E296 5 Bytes JMP 00940FDB
.text C:\Windows\system32\svchost.exe[5604] WININET.dll!InternetOpenW 770572A6 5 Bytes JMP 0094001B
.text C:\Windows\system32\svchost.exe[5604] WININET.dll!InternetOpenUrlW 770AD9BA 5 Bytes JMP 0094002C
.text C:\Windows\system32\svchost.exe[5736] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 00DB0FEF
.text C:\Windows\system32\svchost.exe[5736] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 00DB001B
.text C:\Windows\system32\svchost.exe[5736] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 00DB000A
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00DA0F28
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00DA0078
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00DA009A
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 00DA0089
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00DA005D
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 00DA0011
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00DA0FCA
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00DA0F4D
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00DA0F83
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00DA0F9E
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00DA0040
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00DA0FAF
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00DA0F68
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00DA0EF2
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 00DA0FDB
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00DA0000
.text C:\Windows\system32\svchost.exe[5736] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 00DA0F17
.text C:\Windows\system32\svchost.exe[5736] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00DF0FB7
.text C:\Windows\system32\svchost.exe[5736] msvcrt.dll!system 76DB805B 5 Bytes JMP 00DF0FC8
.text C:\Windows\system32\svchost.exe[5736] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00DF001D
.text C:\Windows\system32\svchost.exe[5736] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00DF0FE3
.text C:\Windows\system32\svchost.exe[5736] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00DF0038
.text C:\Windows\system32\svchost.exe[5736] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 00DF000C
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00DD001E
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00DD0F8D
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00DD0FEF
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00DD0F7C
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00DD0F57
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00DD0FB9
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00DD0FD4
.text C:\Windows\system32\svchost.exe[5736] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00DD0F9E
.text C:\Windows\system32\svchost.exe[5736] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00DE000A
.text C:\Windows\system32\svchost.exe[5960] ntdll.dll!NtCreateFile 76F44244 5 Bytes JMP 006F0FEF
.text C:\Windows\system32\svchost.exe[5960] ntdll.dll!NtCreateProcess 76F44304 5 Bytes JMP 006F002F
.text C:\Windows\system32\svchost.exe[5960] ntdll.dll!NtProtectVirtualMemory 76F44BA4 5 Bytes JMP 006F000A
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 0021008C
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00210F3C
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!CreateProcessW 76041BF3 5 Bytes JMP 00210F21
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!CreateProcessA 76041C28 5 Bytes JMP 002100B8
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!VirtualProtect 76041DC3 5 Bytes JMP 00210F72
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!CreateNamedPipeA 76042EF5 5 Bytes JMP 0021001B
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!CreateNamedPipeW 76045C0C 5 Bytes JMP 00210FD4
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!CreatePipe 76068F06 5 Bytes JMP 00210F61
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!LoadLibraryExW 7606927C 5 Bytes JMP 00210040
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!LoadLibraryW 76069400 5 Bytes JMP 00210F9E
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!LoadLibraryExA 76069554 5 Bytes JMP 00210F83
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!LoadLibraryA 7606957C 5 Bytes JMP 00210FB9
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!VirtualProtectEx 7606DC52 5 Bytes JMP 00210067
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!GetProcAddress 7608925B 5 Bytes JMP 00210F10
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!CreateFileW 7608B0EB 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!CreateFileA 7608D07F 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[5960] kernel32.dll!WinExec 760D60CF 5 Bytes JMP 0021009D
.text C:\Windows\system32\svchost.exe[5960] msvcrt.dll!_wsystem 76DB7F3F 5 Bytes JMP 00760055
.text C:\Windows\system32\svchost.exe[5960] msvcrt.dll!system 76DB805B 5 Bytes JMP 00760044
.text C:\Windows\system32\svchost.exe[5960] msvcrt.dll!_creat 76DBBBF1 5 Bytes JMP 00760029
.text C:\Windows\system32\svchost.exe[5960] msvcrt.dll!_open 76DBD116 5 Bytes JMP 00760FEF
.text C:\Windows\system32\svchost.exe[5960] msvcrt.dll!_wcreat 76DBD336 5 Bytes JMP 00760FD4
.text C:\Windows\system32\svchost.exe[5960] msvcrt.dll!_wopen 76DBD511 5 Bytes JMP 0076000C
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegCreateKeyExA 75A239AB 5 Bytes JMP 00700F9B
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegCreateKeyA 75A23BA9 5 Bytes JMP 00700033
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegOpenKeyA 75A289C7 5 Bytes JMP 00700FE5
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegCreateKeyW 75A3391E 5 Bytes JMP 00700FAC
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegCreateKeyExW 75A341F1 5 Bytes JMP 00700058
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegOpenKeyExA 75A37C42 5 Bytes JMP 00700011
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegOpenKeyW 75A3E2B5 5 Bytes JMP 00700000
.text C:\Windows\system32\svchost.exe[5960] ADVAPI32.dll!RegOpenKeyExW 75A47BA1 5 Bytes JMP 00700022
.text C:\Windows\system32\svchost.exe[5960] WS2_32.dll!socket 75B636D1 5 Bytes JMP 00750FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\mfevtps.exe[1196] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [011CA4D0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\system32\mfevtps.exe[1196] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [011CA530] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F6A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F48395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73F1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F9CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c77 3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
Reply With Quote
  #8  
Old April 28th, 2012, 02:54 AM
speedracer's Avatar
speedracer speedracer is offline
Senior Member
 
Join Date: Feb 2003
O/S: Windows XP Pro
Location: Charlotte, NC
Age: 44
Posts: 193
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-27 21:27:15
-----------------------------
21:27:15.782 OS Version: Windows 6.0.6002 Service Pack 2
21:27:15.782 Number of processors: 2 586 0x6B01
21:27:15.784 ComputerName: SPEEDRACER531 UserName: Dad
21:27:17.614 Initialize success
21:29:13.692 AVAST engine defs: 12042701
21:29:29.114 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
21:29:29.220 Disk 0 Vendor: Hitachi_ V5DO Size: 238418MB BusType: 6
21:29:29.405 Disk 0 MBR read successfully
21:29:29.411 Disk 0 MBR scan
21:29:29.419 Disk 0 Windows VISTA default MBR code
21:29:29.429 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
21:29:29.517 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 81920
21:29:29.585 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228137 MB offset 21053440
21:29:29.739 Disk 0 scanning sectors +488278016
21:29:30.168 Disk 0 scanning C:\Windows\system32\drivers
21:30:44.337 Service scanning
21:31:17.067 Modules scanning
21:31:34.528 Disk 0 trace - called modules:
21:31:34.613 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
21:31:34.623 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86540858]
21:31:34.637 3 CLASSPNP.SYS[807e48b3] -> nt!IofCallDriver -> [0x85ab4e00]
21:31:34.651 5 acpi.sys[806096bc] -> nt!IofCallDriver -> \Device\00000057[0x85ae0938]
21:31:35.546 AVAST engine scan C:\Windows
21:31:50.661 AVAST engine scan C:\Windows\system32
21:35:56.936 AVAST engine scan C:\Windows\system32\drivers
21:36:14.770 AVAST engine scan C:\Users\Dad
21:41:49.244 Disk 0 MBR has been saved successfully to "C:\Users\Dad\Desktop\MBR.dat"
21:41:49.265 The log file has been saved successfully to "C:\Users\Dad\Desktop\aswMBR.txt"
Reply With Quote
  #9  
Old April 29th, 2012, 01:43 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,144
Some remnants of adware, but either the Gmer log shows a very busy malware function, or McAfee loading into everything to monitor activities. How long has McAfee been installed there? It just does have a real bad record for slowness and other issues.

Do you know how to save any registration info, in case you want to reinstall it, and then uninstall McAfee, reboot, run and post the same scan logs and also check for improvement?
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 07:28 PM.