[RESOLVED] Had some Fake Alerts, now computer is very slow.

Printable View

Show 40 post(s) from this thread on one page

March 14th, 2011, 08:23 PM
krh1326

1 Attachment(s)

[RESOLVED] Had some Fake Alerts, now computer is very slow.

Hello,

I have 3 kids that have been using my computer, for anything from gaming to downloading music etc.

I have noticed that my computer has slowed down, and I get alot of the fake alert notices that my computer is infected...blah, blah blah.

I do use McAfee virus and firewall. I do scan with Malwarebyts. I do use Ccleaner, and try to keep disk defragged.

Thank you very much for your help.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ken Henrikson at 18:48:04.31 on Sun 03/13/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2317 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Ken Henrikson\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110112071253.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265501466609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265566893765
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\kenhen~1\applic~1\mozilla\firefox\profiles\ovu13fza.default\
FF - prefs.js: browser.startup.homepage - hxxp://msnmember.msn.com/
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\ken henrikson\application data\mozilla\firefox\profiles\ovu13fza.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\ken henrikson\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: HP Smart Web Printing: [email protected] - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: [email protected] - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: [email protected] - %profile%\extensions\[email protected]
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-12 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-12 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-12 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-12 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-12 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-12 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-12 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-12 141792]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-2-28 53032]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-12 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-12 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-12 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-12 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-12 88544]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-2-6 993280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2008-6-23 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-6-23 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-6-23 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\kenhen~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\kenhen~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-12 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-12 84264]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-1-22 39456]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2008-6-23 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-6-23 1120752]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-11 23:01:22 -------- d-----w- c:\program files\Firaxis Games
2011-03-09 04:07:41 -------- d-----w- c:\windows\system32\????ocuments and Settings
2011-03-07 20:23:17 -------- d-----w- c:\windows\system32\??
2011-02-26 22:13:38 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-02-26 22:13:34 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-02-26 22:13:08 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-02-26 22:12:46 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2011-02-26 22:12:46 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-02-26 22:12:45 966656 ----a-r- c:\windows\system32\hpost_p02c.dll
2011-02-26 22:12:45 712704 ----a-r- c:\windows\system32\hposwia_p02c.dll
2011-02-26 22:12:45 315392 ----a-r- c:\windows\system32\hposc_p02a.dll
2011-02-26 22:07:55 -------- d-----w- c:\program files\common files\HP
2011-02-26 19:02:58 -------- d-----w- c:\program files\Cisco Systems
2011-02-26 18:54:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Cisco Systems
.
==================== Find3M ====================
.
2011-03-07 03:42:07 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-03-07 03:42:07 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-03-07 03:41:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-05 19:10:28 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-03-05 19:10:28 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-02-27 12:43:56 270240 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-16 17:59:04 138056 -c--a-w- c:\docume~1\kenhen~1\applic~1\PnkBstrK.sys
2011-01-16 17:58:22 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 18:48:31.48 ===============

GMER 1.0.15.15530 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-13 19:00:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 ST3500410AS rev.CC34
Running: gmer.exe; Driver: C:\DOCUME~1\KENHEN~1\LOCALS~1\Temp\kwldqpod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB7EAF0E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7EAF0F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7EAF120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7EAF176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB7EAF0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7EAF0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7EAF0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB7EAF10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB7EAF14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7EAF136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7EAF1A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7EAF18C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7EAF160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B7EAF164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70CA3A0, 0x59FFE5, 0xE8000020]
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB4A97280]
? C:\DOCUME~1\KENHEN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF009A
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0089
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0062
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0040
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F59
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F74
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00EB
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F48
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00FC
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0051
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00AB
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0025
.text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00C6
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0014
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0051
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0040
.text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0025
.text C:\WINDOWS\Explorer.EXE[468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D4005A
.text C:\WINDOWS\Explorer.EXE[468] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40FCF
.text C:\WINDOWS\Explorer.EXE[468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40038
.text C:\WINDOWS\Explorer.EXE[468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40000
.text C:\WINDOWS\Explorer.EXE[468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40049
.text C:\WINDOWS\Explorer.EXE[468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40011
.text C:\WINDOWS\Explorer.EXE[468] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C20000
.text C:\WINDOWS\Explorer.EXE[468] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\Explorer.EXE[468] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\Explorer.EXE[468] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\Explorer.EXE[468] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00022
.text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F5B
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0050
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF003F
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F80
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0F9B
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0086
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0075
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00C3
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00B2
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00D4
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0022
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F4A
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0097
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30042
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FC1
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FE3
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FD2
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C3001D
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00C10FC0
.text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FDB
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50089
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50078
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50F9E
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50FAF
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B5002C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B500D2
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B500B5
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50F4D
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50F5E
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B50F28
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B50047
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B50011
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B5009A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50FC0
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B50FD1
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B50F79
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B40FBC
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B40028
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B40FCD
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B40F75
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B40F90
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D4, 88] {AAM 0x88}
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B40FA1
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70075
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B7005A
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7002E
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B7003F
.text C:\WINDOWS\system32\svchost.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01CD0000
.text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01CD0022
.text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01CD0011
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01CC0000
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01CC0F99
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01CC008E
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CC007D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01CC006C
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01CC0FCA
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01CC00D5
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01CC00C4
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01CC010B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01CC00F0
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01CC011C
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01CC005B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01CC0FDB
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01CC00B3
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01CC0036
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01CC001B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01CC0F72
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01CB0FAF
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01CB0062
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01CB000A
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01CB0FD4
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01CB0051
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01CB0FEF
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01CB0036
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01CB001B
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01D90044
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 01D90033
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01D90FD7
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01D90000
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01D90022
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01D90011
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D80FE5
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01CA0FE5
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01CA0FCA
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01CA0FB9
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 01CA0000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040093
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004006C
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040F83
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400BF
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0004011C
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0004010B
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040F68
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0004005B
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000400AE
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0004002F
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000400E6
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60FB2
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60025
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60FC3
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D60065
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D6004A
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070FA4
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB5
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FC6
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F55
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF004A
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F70
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F8D
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0014
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F27
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0F38
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF00A5
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF008A
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00B6
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF002F
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0065
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FA8
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF0F16
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FC0
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40047
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F94
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20F7A
.text C:\WINDOWS\system32\lsass.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20F8B
.text C:\WINDOWS\system32\lsass.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FC1
.text C:\WINDOWS\system32\lsass.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20FA6
.text C:\WINDOWS\system32\lsass.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20FD2
.text C:\WINDOWS\system32\lsass.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC008E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0073
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0062
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0051
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC00C4
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC00A9
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F50
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC00DF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0104
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0036
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0F7E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC0F61
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02410036
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02410F9E
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02410FE5
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0241001B
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02410FB9
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02410FCA
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [61, 8A]
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02410051
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FAB
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FC6
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F5C
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F81
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F92
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC005B
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0FCD
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0082
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F3A
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00A7
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F0E
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC0EF3
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC004A
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC001B
March 14th, 2011, 08:25 PM
krh1326

Continued

.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F4B
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC0F1F
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E00011
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E00F9E
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E00FC0
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E00000
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E00FAF
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E00047
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E0002C
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DF0FB2
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DF0FC3
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DF0022
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DF0033
.text C:\WINDOWS\system32\svchost.exe[1424] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DF0011
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03240000
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0324002C
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0324001B
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0323000A
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03230073
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03230062
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03230F88
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03230FA5
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03230036
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 032300BA
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0323009F
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 032300E6
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03230F4D
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 032300F7
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03230047
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03230FE5
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0323008E
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03230FCA
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0323001B
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 032300CB
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03220FC3
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03220F83
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03220014
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03220FDE
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03220F9E
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03220FEF
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03220040
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0322002F
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03210044
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 03210033
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03210FDE
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03210FEF
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03210FCD
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0321000C
.text C:\WINDOWS\System32\svchost.exe[1548] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03200FEF
.text C:\WINDOWS\System32\svchost.exe[1548] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 031F0FEF
.text C:\WINDOWS\System32\svchost.exe[1548] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 031F0FDE
.text C:\WINDOWS\System32\svchost.exe[1548] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 031F0FCD
.text C:\WINDOWS\System32\svchost.exe[1548] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 031F001E
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00630F4D
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00630038
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630F5E
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0063001B
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630F94
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00630073
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00630F2B
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00630EF5
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00630F06
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00630EDA
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630F83
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630FDB
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00630F3C
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630FAF
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00630FC0
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00630084
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660F86
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660014
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FDE
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660039
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660F97
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FA8
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FAD
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650042
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FD2
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650027
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00790FB9
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00790FD4
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780073
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F7E
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780062
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780051
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007800B0
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0078009F
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780F28
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F4D
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780F17
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780036
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0078008E
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FC0
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007800C1
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007C0FC3
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007C0039
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007C0014
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007C0FDE
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007C0F7C
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007C0F97
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 88]
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007C0FA8
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007B0058
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!system 77C293C7 5 Bytes JMP 007B0047
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007B0FCD
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007B002C
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007B0FDE
.text C:\WINDOWS\system32\svchost.exe[1716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007A0000
.text C:\Program Files\MSN\MSNCoreFiles\msn.exe[1804] WININET.dll!InternetGoOnlineW 3D9A113B 5 Bytes JMP 2013BE88 C:\Program Files\MSN\MSNCoreFiles\msnmetal.dll (msnmetal/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1816] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00710000
.text C:\WINDOWS\System32\svchost.exe[1816] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00710025
.text C:\WINDOWS\System32\svchost.exe[1816] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00710FE5
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00700FE5
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0070006A
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00700F75
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00700F86
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00700039
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700FA8
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00700F46
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0070008C
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00700F09
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00700F24
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007000BD
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00700F97
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00700FD4
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0070007B
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00700FC3
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00700F35
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0FC7
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0F94
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0022
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0011
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0FA5
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006F0FB6
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8F, 88]
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0033
.text C:\WINDOWS\System32\svchost.exe[1816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E005D
.text C:\WINDOWS\System32\svchost.exe[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0FD2
.text C:\WINDOWS\System32\svchost.exe[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0FE3
.text C:\WINDOWS\System32\svchost.exe[1816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E000C
.text C:\WINDOWS\System32\svchost.exe[1816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0038
.text C:\WINDOWS\System32\svchost.exe[1816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E001D
.text C:\WINDOWS\System32\svchost.exe[1816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00710025
.text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00710014
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00700000
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00700086
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00700F9B
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00700069
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00700058
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700FB6
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007000CF
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007000B4
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00700F36
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00700F51
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00700F25
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0070003D
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00700011
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00700097
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00700FD1
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00700022
.text C:\WINDOWS\System32\svchost.exe[1844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00700F62
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F006C
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0025
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0FAF
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F005B
.text C:\WINDOWS\System32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0040
.text C:\WINDOWS\System32\svchost.exe[1844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E006E
.text C:\WINDOWS\System32\svchost.exe[1844] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0053
.text C:\WINDOWS\System32\svchost.exe[1844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0038
.text C:\WINDOWS\System32\svchost.exe[1844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FE3
.text C:\WINDOWS\System32\svchost.exe[1844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0011
.text C:\WINDOWS\System32\svchost.exe[1844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01090011
.text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01090FE5
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01080F3C
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01080F57
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01080F68
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01080F83
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0108001B
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0108005D
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01080F15
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01080EE9
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01080EFA
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01080ECE
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01080F9E
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01080FEF
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0108004C
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01080FAF
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01080FCA
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01080082
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010C0FD4
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010C0087
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010C0FE5
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010C001B
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010C006C
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010C0000
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010C0051
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010C0040
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010B004A
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!system 77C293C7 5 Bytes JMP 010B0FB5
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010B0FC6
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010B0025
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010B0FD7
.text C:\WINDOWS\system32\svchost.exe[1872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\system32\svchost.exe[2324] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[2324] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[2324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB000A
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F92
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0FA3
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA007D
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA006C
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F55
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F66
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F29
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA00B8
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA00DD
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA0F77
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[2324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0F3A
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90054
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90F8D
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP C89FEDE5
.text C:\WINDOWS\system32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80FBC
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C8003D
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[2324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\System32\svchost.exe[2584] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\System32\svchost.exe[2584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F80014
.text C:\WINDOWS\System32\svchost.exe[2584] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70000
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70069
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70058
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F74
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F91
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F7002C
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F3C
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70084
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700CB
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700B0
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700DC
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F7003D
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70011
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F59
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FC0
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\System32\svchost.exe[2584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F7009F
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60011
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60051
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FCA
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60F9E
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F60FAF
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 89]
.text C:\WINDOWS\System32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F6002C
.text C:\WINDOWS\System32\svchost.exe[2584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\System32\svchost.exe[2584] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F5004B
.text C:\WINDOWS\System32\svchost.exe[2584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50029
.text C:\WINDOWS\System32\svchost.exe[2584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000
.text C:\WINDOWS\System32\svchost.exe[2584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F5003A
.text C:\WINDOWS\System32\svchost.exe[2584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\System32\svchost.exe[2584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs InCDRec.sys (Nero InCD File System Recognizer/Nero AG)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart C4700 series@ChangeID 6469953

---- EOF - GMER 1.0.15 ----

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:01:13 PM, on 3/13/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Ken Henrikson\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Msn Member | MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110112071253.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1265501466609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1265566893765
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/st...r_5.0.31.0.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InCD Helper (InCDsrvR) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\KENHEN~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

--
End of file - 8217 bytes
March 14th, 2011, 09:52 PM
Broni
Please, complete all steps listed here: http://discussions.virtualdr.com/sho...d.php?t=167915

Please, observe following rules:
- Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
- If you're stuck, or you're not sure about certain step, always ask before doing anything else.
- Please refrain from running tools or applying updates other than those I suggest.
- Never run more than one scan at a time.
- Keep updating me regarding your computer behavior, good, or bad.
- The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
- If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
- I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
March 14th, 2011, 09:59 PM
krh1326

Hi,

Thank you for your help.

This log should be the only thing missing from that guide. Here it is.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200000d

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EEB000 fltmgr.sys
0xB7ED9000 sr.sys
0xB7E7C000 mfehidk.sys
0xB80F8000 PxHelp20.sys
0xB7E65000 KSecDD.sys
0xB7E52000 WudfPf.sys
0xB7DC5000 Ntfs.sys
0xB7D98000 NDIS.sys
0xB7D7E000 Mup.sys
0xB8148000 \SystemRoot\system32\DRIVERS\AmdPPM.sys
0xB8380000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB85B6000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB8158000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8390000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB8168000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8558000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8560000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0xB83A0000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB7CEA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83A8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7CC2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB7BF4000 \SystemRoot\system32\DRIVERS\winachcf.sys
0xB83B8000 \SystemRoot\System32\Drivers\Modem.SYS
0xB8178000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8188000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8198000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7BD1000 \SystemRoot\system32\DRIVERS\ks.sys
0xB81A8000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB7AE7000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB70CA000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB70B6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8578000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB85BC000 \SystemRoot\system32\DRIVERS\serscan.sys
0xB871D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB70A2000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8584000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB708B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB83F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB707A000 \SystemRoot\system32\DRIVERS\psched.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB6FB6000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB6F43000 \SystemRoot\system32\drivers\mfefirek.sys
0xB8410000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8420000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB6EEB000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8430000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB85C4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6E8D000 \SystemRoot\system32\DRIVERS\update.sys
0xB7D1E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB7D1A000 \SystemRoot\system32\drivers\WmBEnum.sys
0xB8208000 \SystemRoot\system32\drivers\WmXlCore.sys
0xB8228000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8238000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85C8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8248000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB6FA2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB4B53000 \SystemRoot\system32\drivers\viahduaa.sys
0xB4B2F000 \SystemRoot\system32\drivers\portcls.sys
0xB8288000 \SystemRoot\system32\drivers\drmk.sys
0xB49DB000 \SystemRoot\system32\drivers\monfilt.sys
0xB8458000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB85F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8775000 \SystemRoot\System32\Drivers\Null.SYS
0xB85F4000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8478000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8480000 \SystemRoot\System32\drivers\vga.sys
0xB85F8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB6F37000 \SystemRoot\system32\drivers\InCDRec.sys
0xB48B7000 \SystemRoot\system32\drivers\InCDFs.sys
0xB84A0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB84B0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB6F2F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB48A4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB484B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4838000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xB4812000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB47EA000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB47C8000 \SystemRoot\System32\drivers\afd.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB4775000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB4705000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB82E8000 \SystemRoot\system32\drivers\InCDPass.sys
0xB8308000 \SystemRoot\System32\Drivers\Fips.SYS
0xB8604000 \SystemRoot\system32\drivers\AsIO.sys
0xB83C0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB4C62000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB705A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB83C8000 \SystemRoot\system32\drivers\WmFilter.sys
0xB4C5A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB704A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB46ED000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB8612000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB6F9E000 \SystemRoot\System32\drivers\Dxapi.sys
0xB83E8000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB86E0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD61F000 \SystemRoot\System32\ATMFD.DLL
0xB43E9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3FB0000 \SystemRoot\system32\drivers\wdmaud.sys
0xB415D000 \SystemRoot\system32\drivers\sysaudio.sys
0xB3CBB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB3B23000 \SystemRoot\system32\DRIVERS\srv.sys
0xB3D08000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB3366000 \SystemRoot\System32\Drivers\HTTP.sys
0xB3286000 \SystemRoot\system32\drivers\cfwids.sys
0xB2753000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB3AEB000 \SystemRoot\system32\drivers\mfebopk.sys
0xB27BD000 \??\C:\WINDOWS\system32\VMTOKD2.SYS
0xBD666000 \SystemRoot\System32\spool\DRIVERS\W32X86\2\RASDD.DLL
0xB20E2000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 40):
0 System Idle Process
4 System
952 C:\WINDOWS\system32\smss.exe
1028 csrss.exe
1064 C:\WINDOWS\system32\winlogon.exe
1108 C:\WINDOWS\system32\services.exe
1120 C:\WINDOWS\system32\lsass.exe
1280 C:\WINDOWS\system32\nvsvc32.exe
1356 C:\WINDOWS\system32\svchost.exe
1428 svchost.exe
1552 C:\WINDOWS\system32\svchost.exe
1596 C:\WINDOWS\system32\svchost.exe
1732 svchost.exe
1876 svchost.exe
152 C:\WINDOWS\system32\spoolsv.exe
372 C:\WINDOWS\explorer.exe
940 C:\Program Files\McAfee.com\Agent\mcagent.exe
1012 C:\WINDOWS\system32\rundll32.exe
1508 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
1612 svchost.exe
1912 C:\WINDOWS\system32\svchost.exe
1932 C:\WINDOWS\system32\svchost.exe
1980 C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
292 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
716 C:\WINDOWS\system32\mfevtps.exe
788 C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
1332 C:\WINDOWS\system32\svchost.exe
860 C:\WINDOWS\system32\svchost.exe
880 C:\WINDOWS\system32\PnkBstrA.exe
864 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2436 C:\WINDOWS\system32\svchost.exe
2464 C:\WINDOWS\system32\MsPMSPSv.exe
2484 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
2580 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
4088 alg.exe
3012 C:\WINDOWS\system32\svchost.exe
2840 C:\Program Files\MSN\MSNCoreFiles\msn.exe
284 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
2708 C:\Program Files\Windows Live\Contacts\wlcomm.exe
2736 C:\Documents and Settings\Ken Henrikson\Desktop\MBRCheck.exe

\\.\C: --> error 1

PhysicalDrive0 Model Number: ST3500410AS, Rev: CC34

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!
March 15th, 2011, 12:54 AM
Broni

Attach.txt part of DDS and MBAM logs are still missing.
March 15th, 2011, 07:13 PM
krh1326

Sorry, I accidentally attached "attached.txt" to my first post. Here it is and a fresh MBAM log.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\Harddisk0\DP(1)0x7e00-0x74701a8200+1
Install Date: 2/6/2010 5:21:08 PM
System Uptime: 3/13/2011 5:09:02 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M4N78 PRO
Processor: AMD Phenom(tm) 9600 Quad-Core Processor | AM2/AM3 | 2300/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 241.742 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA High Definition Audio
Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0002&SUBSYS_10DE0101&REV_1000\4&26CEEC39&0&0301
Manufacturer: NVIDIA
Name: NVIDIA High Definition Audio
PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0002&SUBSYS_10DE0101&REV_1000\4&26CEEC39&0&0301
Service: NVHDA
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4700 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4700 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP245: 12/14/2010 8:33:16 AM - System Checkpoint
RP246: 12/14/2010 5:48:38 PM - Software Distribution Service 3.0
RP247: 12/16/2010 4:37:37 PM - System Checkpoint
RP248: 12/17/2010 5:25:48 PM - System Checkpoint
RP249: 12/18/2010 6:01:16 PM - Software Distribution Service 3.0
RP250: 12/20/2010 5:17:30 PM - System Checkpoint
RP251: 12/22/2010 10:41:18 AM - System Checkpoint
RP252: 12/24/2010 8:33:20 AM - System Checkpoint
RP253: 12/25/2010 8:35:52 AM - System Checkpoint
RP254: 12/27/2010 9:23:21 AM - System Checkpoint
RP255: 12/28/2010 3:26:56 PM - System Checkpoint
RP256: 12/29/2010 5:19:02 PM - System Checkpoint
RP257: 12/31/2010 8:32:13 AM - System Checkpoint
RP258: 1/1/2011 10:55:47 AM - System Checkpoint
RP259: 1/2/2011 4:50:42 PM - System Checkpoint
RP260: 1/3/2011 5:26:37 PM - System Checkpoint
RP261: 1/5/2011 2:02:43 PM - System Checkpoint
RP262: 1/6/2011 3:16:18 PM - System Checkpoint
RP263: 1/9/2011 10:07:26 AM - System Checkpoint
RP264: 1/11/2011 3:32:59 PM - Software Distribution Service 3.0
RP265: 1/13/2011 4:59:58 PM - System Checkpoint
RP266: 1/14/2011 5:24:29 PM - System Checkpoint
RP267: 1/15/2011 6:14:55 PM - System Checkpoint
RP268: 1/16/2011 7:39:20 PM - Made by Registry Mechanic
RP269: 1/16/2011 8:00:35 PM - Installed ImageMixer 3 SE Ver.4.5 Transfer Utility
RP270: 1/16/2011 8:01:00 PM - Installed Music Transfer Utility Ver.1.5
RP271: 1/18/2011 6:12:40 AM - System Checkpoint
RP272: 1/19/2011 4:49:28 PM - System Checkpoint
RP273: 1/20/2011 7:00:57 PM - Removed Easy CD & DVD Creator 6
RP274: 1/21/2011 5:52:37 PM - Installed Easy CD & DVD Creator 6
RP275: 1/21/2011 5:59:55 PM - Installed Easy CD & DVD Creator 6
RP276: 1/21/2011 7:03:38 PM - prior to roxio removal
RP277: 1/21/2011 7:30:47 PM - Removed Easy CD & DVD Creator 6
RP278: 1/21/2011 8:23:08 PM - post removal, prior reinstall
RP279: 1/21/2011 8:29:44 PM - Installed Easy CD & DVD Creator 6
RP280: 1/21/2011 8:42:50 PM - Restore Operation
RP281: 1/21/2011 8:48:12 PM - recovered
RP282: 1/21/2011 8:56:32 PM - Installed Easy CD & DVD Creator 6
RP283: 1/21/2011 9:06:44 PM - Restore Operation
RP284: 1/22/2011 6:15:48 PM - beginning
RP285: 1/22/2011 6:28:15 PM - Software Distribution Service 3.0
RP286: 1/22/2011 6:57:20 PM - Configured NVIDIA ForceWare Network Access Manager
RP287: 1/22/2011 7:04:47 PM - Installed NVIDIA ForceWare Network Access Manager
RP288: 1/22/2011 7:27:42 PM - Software Distribution Service 3.0
RP289: 1/22/2011 7:55:04 PM - Installed DirectX
RP290: 1/22/2011 8:03:17 PM - drivers set? pre roxio
RP291: 1/22/2011 8:07:37 PM - Made by Registry Mechanic
RP292: 1/22/2011 8:12:53 PM - after reg mech, pre roxio
RP293: 1/22/2011 8:17:26 PM - Installed DirectX
RP294: 1/22/2011 8:18:07 PM - Installed SmartSound Quicktracks Plugin
RP295: 1/22/2011 8:23:22 PM - Installed SmartSound "New Standard 22k Library"
RP296: 1/23/2011 10:30:21 AM - ALL IS WELL
RP297: 1/24/2011 4:23:07 PM - System Checkpoint
RP298: 1/25/2011 4:36:55 PM - System Checkpoint
RP299: 1/26/2011 6:10:23 PM - System Checkpoint
RP300: 1/29/2011 7:14:24 PM - System Checkpoint
RP301: 1/31/2011 7:52:44 PM - System Checkpoint
RP302: 2/1/2011 8:11:54 PM - System Checkpoint
RP303: 2/2/2011 8:57:30 PM - System Checkpoint
RP304: 2/3/2011 9:54:49 PM - System Checkpoint
RP305: 2/5/2011 10:55:20 PM - System Checkpoint
RP306: 2/7/2011 8:01:17 AM - System Checkpoint
RP307: 2/8/2011 8:42:43 AM - System Checkpoint
RP308: 2/8/2011 6:06:14 PM - Software Distribution Service 3.0
RP309: 2/10/2011 6:23:17 PM - System Checkpoint
RP310: 2/12/2011 11:10:32 AM - System Checkpoint
RP311: 2/13/2011 9:37:08 PM - System Checkpoint
RP312: 2/15/2011 6:45:00 AM - System Checkpoint
RP313: 2/16/2011 8:28:04 AM - System Checkpoint
RP314: 2/17/2011 8:31:46 AM - System Checkpoint
RP315: 2/18/2011 8:45:19 AM - System Checkpoint
RP316: 2/19/2011 6:40:16 PM - System Checkpoint
RP317: 2/20/2011 11:31:07 PM - System Checkpoint
RP318: 2/22/2011 8:32:54 AM - System Checkpoint
RP319: 2/22/2011 4:31:56 PM - Software Distribution Service 3.0
RP320: 2/24/2011 8:44:22 PM - Made by Registry Mechanic
RP321: 2/25/2011 8:09:28 AM - Software Distribution Service 3.0
RP322: 2/26/2011 7:53:06 PM - System Checkpoint
RP323: 2/27/2011 11:17:15 PM - System Checkpoint
RP324: 3/1/2011 7:00:39 AM - System Checkpoint
RP325: 3/2/2011 8:41:33 AM - System Checkpoint
RP326: 3/3/2011 11:19:18 AM - System Checkpoint
RP327: 3/4/2011 3:34:45 PM - System Checkpoint
RP328: 3/5/2011 4:01:29 PM - System Checkpoint
RP329: 3/6/2011 4:22:48 PM - System Checkpoint
RP330: 3/7/2011 6:39:20 PM - System Checkpoint
RP331: 3/8/2011 4:20:46 PM - Software Distribution Service 3.0
RP332: 3/9/2011 4:24:44 PM - System Checkpoint
RP333: 3/10/2011 4:30:19 PM - System Checkpoint
RP334: 3/11/2011 5:56:42 PM - System Checkpoint
RP335: 3/11/2011 6:00:49 PM - Installed Sid Meier's Pirates!
RP336: 3/13/2011 9:01:15 AM - System Checkpoint
.
==== Installed Programs ======================
.
.
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.3
Battlefield Heroes
BattleForge™
BitTornado 0.3.18
BufferChm
C4700
CCleaner
Cisco Connect
Day of Defeat: Source
Destinations
DeviceDiscovery
DirectXInstallService
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
EVEREST Home Edition v2.20
EVEREST Ultimate Edition v5.30
Fraps (remove only)
GPBaseService2
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Half-Life Deathmatch: Source
Half-Life: Blue Shift
Half-Life: Opposing Force
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 13.0
HP Photosmart C4700 All-In-One Driver Software 13.0 Rel .6
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
hpPrintProjects
HPProductAssistant
hpWLPGInstaller
ImageMixer 3 SE Ver.4.5 Transfer Utility
InCD Reader
Junk Mail filter update
Left 4 Dead
Left 4 Dead 2
Left 4 Dead 2 Add-on Support
LG Burning Tools
LG CyberLink LabelPrint
LG CyberLink PowerDVD 7.0
LG CyberLink PowerProducer
LG Power Tools
Malwarebytes' Anti-Malware
MapSource
MapSource - BlueChart Americas v6.5
MapSource - Trip & Waypoint Manager v2
McAfee Security Scan Plus
McAfee SecurityCenter
Media Player Codec Pack 3.9.6
MediaFACE II
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.13)
Mp3tag v2.48
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Transfer Utility Ver.1.5
neroxml
NetWaiting
Network
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX v8.10.13
OGA Notifier 2.0.0048.0
PC Probe II
PDFCreator 0.8.0
Platform
PS_AIO_06_C4700_SW_Min
PunkBuster Services
Registry Mechanic 5.0
RingCentral SmartFax 2002
Roblox for Ken Henrikson
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio Easy Media Creator
Roxio Easy Media Creator 10 Suite
Roxio File Backup
Roxio MediaShare
Roxio Update Manager
Scan
SecurDisc Viewer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Sid Meier's Pirates!
SimCity 3000
SmartSound Quicktracks Plugin
SmartWebPrinting
SolutionCenter
Status
Steam
Toolbox
TrayApp
TurboCAD Symbols
TurboCAD v9
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VC80CRTRedist - 8.0.50727.4053
VCRedistSetup
VIA Platform Device Manager
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows NT Messaging
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinRAR archiver
WinX DVD Ripper Platinum 6.0.0
WinX HD Video Converter Deluxe 3.10.2
WinZip 11.1
Xvid 1.2.2 final uninstall
Zombie Panic! Source
Zoom V.92 PCI Voice Faxmodem
.
==== Event Viewer Messages From Past Week ========
.
3/6/2011 7:43:01 AM, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.
3/13/2011 10:01:56 AM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certmap.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
3/13/2011 10:01:56 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Ken Henrikson.
3/13/2011 10:00:31 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
3/11/2011 6:32:07 PM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
.
==== End Of File ===========================

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6036

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/15/2011 7:06:39 PM
mbam-log-2011-03-15 (19-06-39).txt

Scan type: Full scan (C:\|)
Objects scanned: 401961
Time elapsed: 1 hour(s), 42 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
March 15th, 2011, 08:19 PM
Broni
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  - Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  - Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.
  - Close any open browsers.
  - WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  - Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  - If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista or Windows 7 right-click on it and choose Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
- Do not reboot until instructed.
- If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
March 16th, 2011, 06:13 PM
krh1326

Hi Broni,

Again, thank you for your help.

I followed the outlined steps, exactly, and was able to run combo fix.

I could see that it detected and disinfected "bootkit tdl4".

The thing is, after it ran, and I followed all of the prompts and restarting, my computer started acting really wierd. Alot of hardisk activity and alot of cpu use. The screen and mouse kept freezing up. I ended up manually resetting a couple times, and here I finally am.

ComboFix 11-03-16.01 - Ken Henrikson 03/16/2011 16:53:39.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2308 [GMT -4:00]
Running from: c:\documents and settings\Ken Henrikson\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\winhelp.ini
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-11 23:01 . 2011-03-11 23:01 -------- d-----w- c:\program files\Firaxis Games
2011-03-09 04:07 . 2011-03-09 04:07 -------- d-----w-cuments and Settings c:\windows\system32\OCUMEN~1
2011-03-07 20:23 . 2011-03-07 20:23 -------- d-----w- c:\windows\system32\5F3F~1
2011-02-26 22:13 . 2008-10-28 10:27 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-02-26 22:13 . 2008-10-28 10:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-02-26 22:13 . 2008-10-28 10:27 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-02-26 22:12 . 2008-10-28 10:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2011-02-26 22:12 . 2008-10-28 10:27 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-02-26 22:12 . 2009-02-10 20:03 966656 ----a-r- c:\windows\system32\hpost_p02c.dll
2011-02-26 22:12 . 2009-02-10 20:03 712704 ----a-r- c:\windows\system32\hposwia_p02c.dll
2011-02-26 22:12 . 2009-02-10 20:03 315392 ----a-r- c:\windows\system32\hposc_p02a.dll
2011-02-26 22:08 . 2011-02-26 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-02-26 22:07 . 2011-02-26 22:07 -------- d-----w- c:\program files\Common Files\HP
2011-02-26 19:02 . 2011-02-26 19:40 -------- d-----w- c:\program files\Cisco Systems
2011-02-26 18:54 . 2011-02-26 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-05 19:10 . 2010-02-08 02:01 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-03-05 19:10 . 2010-02-08 02:05 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-03-05 19:10 . 2010-02-08 02:01 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-02-27 12:43 . 2010-02-08 02:01 270240 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-02-09 13:53 . 2004-08-04 05:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 05:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2010-02-06 22:15 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-06 22:15 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 05:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-16 17:59 . 2010-02-08 02:01 138056 -c--a-w- c:\documents and settings\Ken Henrikson\Application Data\PnkBstrK.sys
2011-01-16 17:58 . 2010-02-08 02:01 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-01-07 14:09 . 2004-08-04 05:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 04:17 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 05:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 05:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2004-08-04 05:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:09 . 2010-02-08 00:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-02-08 00:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 05:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 03:59 385024 ----a-w- c:\windows\system32\html.iec
2010-10-14 03:28 . 2011-01-12 12:12 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 22:39 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-03-16 210216]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-06-23 244208]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2008-06-12 113136]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7D62E9C2-A61F-B67F-444E-28203605C17E}
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-12-31 07:38 33546240 -c--a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 20:50 54576 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-09 03:17 52256 -c--a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2009-03-10 20:54 570664 -c--a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-15 02:01 71216 -c----w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2008-02-28 22:39 2049320 -c--a-w- c:\program files\Nero\Nero8\InCD\NBHGui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\Bootstrapper.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\BattleForge.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\krhenrikson\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\krhenrikson\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/12/2011 8:12 AM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/12/2011 8:12 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/12/2011 8:12 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/12/2011 8:12 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/12/2011 8:12 AM 141792]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2/28/2008 6:39 PM 53032]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/12/2011 8:12 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/12/2011 8:12 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/12/2011 8:12 AM 88544]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2/6/2010 7:38 PM 993280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [6/23/2008 10:08 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [6/23/2008 10:06 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [6/23/2008 10:06 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\KENHEN~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\KENHEN~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/12/2011 8:12 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/12/2011 8:12 AM 84264]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1/22/2011 8:03 PM 39456]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [6/23/2008 10:08 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/23/2008 10:05 AM 1120752]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Ken Henrikson\Application Data\Mozilla\Firefox\Profiles\ovu13fza.default\
FF - prefs.js: browser.startup.homepage - hxxp://msnmember.msn.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: HP Smart Web Printing: [email protected] - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: [email protected] - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: [email protected] - %profile%\extensions\[email protected]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-nwiz - nwiz.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,33,29,68,85,6d,63,4c,a5,34,9c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,33,29,68,85,6d,63,4c,a5,34,9c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-16 17:04:57
ComboFix-quarantined-files.txt 2011-03-16 21:04
.
Pre-Run: 259,515,650,048 bytes free
Post-Run: 259,617,124,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B39A9F4895BF307B3752321A0E25BD4F
March 16th, 2011, 07:03 PM
Broni
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

DirLook:: c:\windows\system32\OCUMEN~1 c:\windows\system32\5F3F~1 Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7D62E9C2-A61F-B67F-444E-28203605C17E}] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

https://discussions.virtualdr.com/im.../2016/03/2.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
March 16th, 2011, 09:10 PM
krh1326

Thank you again, here is the log.

ComboFix 11-03-16.01 - Ken Henrikson 03/16/2011 20:50:50.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2314 [GMT -4:00]
Running from: c:\documents and settings\Ken Henrikson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ken Henrikson\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))
.
.
2011-03-11 23:01 . 2011-03-11 23:01 -------- d-----w- c:\program files\Firaxis Games
2011-03-09 04:07 . 2011-03-09 04:07 -------- d-----w-cuments and Settings c:\windows\system32\OCUMEN~1
2011-03-07 20:23 . 2011-03-07 20:23 -------- d-----w- c:\windows\system32\5F3F~1
2011-02-26 22:13 . 2008-10-28 10:27 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-02-26 22:13 . 2008-10-28 10:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2011-02-26 22:13 . 2008-10-28 10:27 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-02-26 22:12 . 2008-10-28 10:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2011-02-26 22:12 . 2008-10-28 10:27 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-02-26 22:12 . 2009-02-10 20:03 966656 ----a-r- c:\windows\system32\hpost_p02c.dll
2011-02-26 22:12 . 2009-02-10 20:03 712704 ----a-r- c:\windows\system32\hposwia_p02c.dll
2011-02-26 22:12 . 2009-02-10 20:03 315392 ----a-r- c:\windows\system32\hposc_p02a.dll
2011-02-26 22:08 . 2011-02-26 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-02-26 22:07 . 2011-02-26 22:07 -------- d-----w- c:\program files\Common Files\HP
2011-02-26 19:02 . 2011-02-26 19:40 -------- d-----w- c:\program files\Cisco Systems
2011-02-26 18:54 . 2011-02-26 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-05 19:10 . 2010-02-08 02:01 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-03-05 19:10 . 2010-02-08 02:05 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-03-05 19:10 . 2010-02-08 02:01 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-02-27 12:43 . 2010-02-08 02:01 270240 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-02-09 13:53 . 2004-08-04 05:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 05:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2010-02-06 22:15 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-06 22:15 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 05:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-16 17:59 . 2010-02-08 02:01 138056 -c--a-w- c:\documents and settings\Ken Henrikson\Application Data\PnkBstrK.sys
2011-01-16 17:58 . 2010-02-08 02:01 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-01-07 14:09 . 2004-08-04 05:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 04:17 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 05:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 05:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2004-08-04 05:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:09 . 2010-02-08 00:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-02-08 00:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 05:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 03:59 385024 ----a-w- c:\windows\system32\html.iec
2010-10-14 03:28 . 2011-01-12 12:12 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\5F3F~1 ----
.
.
---- Directory of c:\windows\system32\OCUMEN~1 ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-16_21.01.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2011-03-16 20:56 88042 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-03-17 00:53 88042 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-03-17 00:53 502644 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2011-03-16 20:56 502644 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 22:39 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-03-16 210216]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-06-23 244208]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2008-06-12 113136]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-12-31 07:38 33546240 -c--a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 20:50 54576 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-09 03:17 52256 -c--a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2009-03-10 20:54 570664 -c--a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-15 02:01 71216 -c----w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2008-02-28 22:39 2049320 -c--a-w- c:\program files\Nero\Nero8\InCD\NBHGui.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\Bootstrapper.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\BattleForge.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\krhenrikson\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\krhenrikson\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/12/2011 8:12 AM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/12/2011 8:12 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/12/2011 8:12 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/12/2011 8:12 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/12/2011 8:12 AM 141792]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2/28/2008 6:39 PM 53032]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/12/2011 8:12 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/12/2011 8:12 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/12/2011 8:12 AM 88544]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2/6/2010 7:38 PM 993280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [6/23/2008 10:08 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [6/23/2008 10:06 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [6/23/2008 10:06 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\KENHEN~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\KENHEN~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/12/2011 8:12 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/12/2011 8:12 AM 84264]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1/22/2011 8:03 PM 39456]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [6/23/2008 10:08 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/23/2008 10:05 AM 1120752]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Ken Henrikson\Application Data\Mozilla\Firefox\Profiles\ovu13fza.default\
FF - prefs.js: browser.startup.homepage - hxxp://msnmember.msn.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: HP Smart Web Printing: [email protected] - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: [email protected] - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: [email protected] - %profile%\extensions\[email protected]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,33,29,68,85,6d,63,4c,a5,34,9c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,33,29,68,85,6d,63,4c,a5,34,9c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-16 21:00:54
ComboFix-quarantined-files.txt 2011-03-17 01:00
ComboFix2.txt 2011-03-16 21:04
.
Pre-Run: 259,560,103,936 bytes free
Post-Run: 259,598,934,016 bytes free
.
- - End Of File - - 2F4BE8361A2E995FAF437757193FDE85
March 16th, 2011, 09:13 PM
Broni
How is computer doing?

Download TDSSKiller and save it to your desktop.
- Extract (unzip) its contents to your desktop.
- Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
March 16th, 2011, 09:16 PM
krh1326

It is doing better. Not freezing up, but it is so very slow and jumpy. This quad core cpu is usually really fast, but it's just slugging thru.

Going to go follow your latest directions.
Thank you.
March 16th, 2011, 09:33 PM
Broni

OK.......
March 16th, 2011, 09:35 PM
krh1326

Hello Broni,

I still can't thank you enough for all of your time and help so far.

I am NOT a computer wiz, but even I can tell that something is still wierd. This thing is just c-r-a-w-l-i-n-g on the internet. Not sure what is going on but here is the last log you required.

2011/03/16 21:24:40.0656 2692 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/16 21:24:42.0656 2692 ================================================================================
2011/03/16 21:24:42.0656 2692 SystemInfo:
2011/03/16 21:24:42.0656 2692
2011/03/16 21:24:42.0656 2692 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/16 21:24:42.0656 2692 Product type: Workstation
2011/03/16 21:24:42.0656 2692 ComputerName: ASUS-DESKTOP
2011/03/16 21:24:42.0656 2692 UserName: Ken Henrikson
2011/03/16 21:24:42.0656 2692 Windows directory: C:\WINDOWS
2011/03/16 21:24:42.0656 2692 System windows directory: C:\WINDOWS
2011/03/16 21:24:42.0656 2692 Processor architecture: Intel x86
2011/03/16 21:24:42.0656 2692 Number of processors: 4
2011/03/16 21:24:42.0656 2692 Page size: 0x1000
2011/03/16 21:24:42.0656 2692 Boot type: Normal boot
2011/03/16 21:24:42.0656 2692 ================================================================================
2011/03/16 21:24:42.0750 2692 Initialize success
2011/03/16 21:25:00.0468 2756 ================================================================================
2011/03/16 21:25:00.0468 2756 Scan started
2011/03/16 21:25:00.0468 2756 Mode: Manual;
2011/03/16 21:25:00.0468 2756 ================================================================================
2011/03/16 21:25:02.0500 2756 ================================================================================
2011/03/16 21:25:02.0500 2756 Scan finished
2011/03/16 21:25:02.0500 2756 ================================================================================
March 16th, 2011, 09:42 PM
Broni
We'll keep checking....

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
- Link 1 (.exe file)
  Link 2 (zipped file)
  Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
- Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
- Click the Report tab, then click Scan.
- Check Drivers, Stealth, and uncheck the rest.
- Click OK.
- Wait until it's finished and then go to File > Save Report.
- Save the report to your Desktop.
- Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Show 40 post(s) from this thread on one page