1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Lost all my documents and photos today

Discussion in 'Virus & Other Malware Removal' started by kjsimpson1, Nov 26, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    Hi, today I caught the googleupdate.exe virus and it was something serious. I have McAfee as a security system on my PC but I'm starting to think it's a total waste. If I can download a more dependable security system, please advise. I was streaming online and suddenly the webpage closed and I received about 15 error messages about system32. I did a hard shut down so I could go to safe mode and run the Malwarebytes search. It found 4 items. I rebooted and the 15 system errors came up again along with another error threatening the disc space. This time I decided to do a system restore. The earliest restore point was on the 22nd of this month (I don't know how to change this setting) so I did the restore. I did another malwarebytes "full" search which revealed 2 additional bugs. I have the search log so let me know if you need them. So far, everything is OK - except- all of my documents, important files, photos etc are gone. When I restarted the computer there is a flash which showed the folders, but they disappeared. I ran a search on the computer and none of the photos or anything exist on the C drive. Are they totally gone? These are tons of photos of my children from birth to now so I'm totally done if they are.:mad:
     
  2. vicks

    vicks

    Joined:
    Jan 31, 2005
    Messages:
    5,145
    I suggest that you request a moderator to move this thread to the virus and other malware forum. I suspect that your computer is still infected. The folks there are the ones authorized to help on this type of thing. (those authorized have a gold/green or blue shield next to their names).
    Good luck
    Vicks
     
  3. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    oh..ok. thanks for your help Vicks :).
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,895
    First Name:
    Karen
    Please post your MalwareBytes logs.

    Also, please download Unhide and save it to your desktop. Double-click the Unhide.exe icon on your desktop and allow the program to run. This program will remove the hidden attribute from all the files on your hard drives, some of which were set by malware. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

    This may take some time so please be patient and wait for it to finish. Let me know if your missing files are now visible please.
     
  5. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8248

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 9.0.8112.16421

    11/26/2011 11:15:50 AM
    mbam-log-2011-11-26 (11-15-50).txt

    Scan type: Quick scan
    Objects scanned: 166953
    Time elapsed: 4 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\owner\AppData\Local\temp\77C4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\owner\AppData\Local\temp\googleupdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\goo19FF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    ___________________________-

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8248

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 9.0.8112.16421

    11/26/2011 11:19:52 AM
    mbam-log-2011-11-26 (11-19-52).txt

    Scan type: Quick scan
    Objects scanned: 167012
    Time elapsed: 3 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ---------------------------------------------------

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8248

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 9.0.8112.16421

    11/26/2011 1:29:04 PM
    mbam-log-2011-11-26 (13-29-04).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 330855
    Time elapsed: 53 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    -------------------------------------------

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8251

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    11/26/2011 11:37:50 PM
    mbam-log-2011-11-26 (23-37-50).txt

    Scan type: Quick scan
    Objects scanned: 169313
    Time elapsed: 7 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    WOW! That was extremely fast and from what I can see, I have everything! Thank you so very much :)!
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,895
    First Name:
    Karen
    You're welcome. But there's more to do. Also, it's important that you back up those important photos, documents, etc. to an external hard drive or CDs so you don't lose them should something happen to the hard drive.

    Please download DDS by sUBs to your desktop from one of the following locations:

    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://www.forospyware.com/sUBs/dds

    Double-click the DDS.scr to run the tool.

    When DDS has finished scanning, it will open two logs named as follows:

    DDS.txt
    Attach.txt

    Save them both to your desktop. Copy and paste the contents of the DDS.txt and Attach.txt files in your reply please.


    Please download GMER from: http://gmer.net/index.php

    Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

    Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

    Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

    If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

    IAT/EAT
    Any drive letter other than the primary system drive (which is generally C).

    Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

    Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.

    Open the ark.txt file and copy and paste the contents of the log here please.
     
  8. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
    Run by owner at 22:27:44 on 2011-11-29
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.683 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Windows\system32\mfevtps.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\rundll32.exe
    C:\Windows\SMINST\BLService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Verizon Wireless\mp3_downloadmanager_service.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\WLANExt.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = Preserve
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
    BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111112194408.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AgentMonitor] c:\program files\vtech\downloadmanager\system\AgentMonitor.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [DownloadManagerService] "c:\program files\verizon wireless\dist\servicerunner.exe" /action:startService
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{F656AE55-E4A4-4064-B3EA-1E20F223FCB5} : DhcpNameServer = 192.168.1.254
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\cvqlo54n.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-26 464176]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-12-26 64880]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-12-26 165680]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-26 57600]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-17 180816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-17 59456]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-26 338176]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-26 87656]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-17 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-17 40552]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
    S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-10-20 19968]
    .
    =============== Created Last 30 ================
    .
    2011-11-29 21:43:25 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{13160b50-5fbe-46a3-be28-3aefbd7be9a4}\offreg.dll
    2011-11-29 21:43:21 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{13160b50-5fbe-46a3-be28-3aefbd7be9a4}\mpengine.dll
    2011-11-29 04:05:48 -------- d-----w- c:\users\owner\appdata\roaming\com.verizon.mediastore.vzwdownloadmanager.BEEF85639ECFAE88C004EA3A5F976EE5386C7526.1
    2011-11-29 04:05:29 -------- d-----w- c:\program files\MP3DownloadManager
    2011-11-29 04:04:29 -------- d-----w- c:\program files\Verizon Wireless
    2011-11-29 04:04:29 -------- d-----w- c:\program files\common files\i4j_jres
    2011-11-15 02:33:40 -------- d-----w- c:\users\owner\appdata\local\cache
    2011-11-15 02:32:37 -------- d-----w- c:\program files\VTech
    2011-11-15 02:32:36 -------- d-----w- c:\programdata\VTech
    2011-11-13 00:38:37 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-11-13 00:32:31 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-13 00:32:21 707584 ----a-w- c:\program files\common files\system\wab32.dll
    2011-11-09 02:51:03 -------- d-----w- c:\program files\Microsoft Security Client
    .
    ==================== Find3M ====================
    .
    2011-11-27 00:38:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 19:32:30 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-15 18:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 18:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 18:16:16 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 18:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 18:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 18:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 18:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 18:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-15 18:16:16 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 18:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 22:30:15.33 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/26/2009 3:47:55 PM
    System Uptime: 11/29/2011 11:34:27 AM (11 hours ago)
    .
    Motherboard: Wistron | | 360A
    Processor: AMD Athlon Dual-Core QL-60 | Socket A | 1900/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 102 GiB total, 49.421 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 1.358 GiB free.
    E: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP630: 11/22/2011 6:48:57 AM - Windows Update
    RP631: 11/23/2011 8:09:43 PM - Scheduled Checkpoint
    RP632: 11/25/2011 11:33:22 AM - Windows Update
    RP633: 11/26/2011 2:10:39 PM - Scheduled Checkpoint
    RP634: 11/26/2011 3:05:23 PM - Restore Operation
    RP635: 11/26/2011 3:19:01 PM - Windows Update
    RP636: 11/26/2011 7:45:08 PM - Restore Operation
    RP637: 11/26/2011 8:04:16 PM - Windows Update
    RP638: 11/26/2011 8:47:40 PM - Installed HP Help and Support.
    RP639: 11/26/2011 8:52:21 PM - Windows Backup
    RP640: 11/27/2011 3:03:24 PM - Windows Update
    RP641: 11/29/2011 4:42:23 PM - Windows Update
    RP642: 11/29/2011 10:15:53 PM - 11292011restore
    .
    ==== Installed Programs ======================
    .
    .
    Update for Microsoft Office 2007 (KB2508958)
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.1)
    Adobe Shockwave Player
    Adobe Shockwave Player 11.6
    Apple Application Support
    Apple Software Update
    Atheros Driver Installation Program
    Canon Easy-WebPrint EX
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MP Navigator EX 3.0
    Canon MP560 series MP Drivers
    Canon MP560 series User Registration
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    CyberLink DVD Suite
    ESU for Microsoft Vista
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Doc Viewer
    HP DVD Play 3.7
    HP Help and Support
    HP Quick Launch Buttons 6.40 D3
    HP Update
    HP User Guides 0118
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    HPTCSSetup
    InstallMgr
    Java Auto Updater
    Java(TM) 6 Update 24
    LabelPrint
    Learning Lodge Navigator
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee AntiVirus Plus
    McAfee Security Scan Plus
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Default Manager
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Works
    Mozilla Firefox 8.0 (x86 en-US)
    MP3 Download Manager
    MSN Toolbar
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 6.1
    NetWaiting
    NVIDIA Drivers
    Power2Go
    PowerDirector
    PVSonyDll
    QuickTime
    Realtek USB 2.0 Card Reader
    Revo Uninstaller 1.93
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    swMSM
    Synaptics Pointing Device Driver
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    Verizon Wireless Download Manager 2.2.8-SNAPSHOT-r11227
    Visual Studio Tools for the Office system 3.0 Runtime
    Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
    VTech Download Agent Library
    WebEx
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The Tablet PC Input Service service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The Superfetch service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The ReadyBoost service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The PnP-X IP Bus Enumerator service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 3 time(s).
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7031] - The WLAN AutoConfig service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7031] - The Windows Audio Endpoint Builder service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7031] - The Human Interface Device Access service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/29/2011 6:03:42 AM, Error: Service Control Manager [7031] - The Desktop Window Manager Session Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/29/2011 10:26:53 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    11/29/2011 10:25:58 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 2 time(s).
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The Tablet PC Input Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The Superfetch service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The ReadyBoost service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The PnP-X IP Bus Enumerator service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The Network Connections service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    11/28/2011 9:00:24 PM, Error: Service Control Manager [7031] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7034] - The Diagnostic System Host service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The Tablet PC Input Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The Superfetch service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The ReadyBoost service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The Portable Device Enumerator Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The PnP-X IP Bus Enumerator service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The Network Connections service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    11/28/2011 7:30:28 PM, Error: Service Control Manager [7031] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/28/2011 6:04:15 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/27/2011 12:13:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11/27/2011 12:12:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    11/27/2011 12:10:03 AM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:30 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC mfehidk mfenlfk mfewfpk NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/27/2011 12:09:21 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    11/27/2011 12:09:19 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    11/27/2011 12:08:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    11/27/2011 12:08:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    11/27/2011 12:08:42 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/27/2011 12:08:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    11/27/2011 12:08:02 AM, Error: EventLog [6008] - The previous system shutdown at 12:04:50 AM on 11/27/2011 was unexpected.
    11/26/2011 9:03:34 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.115.2351.0 Loading engine version: 1.1.7801.0
    11/26/2011 8:41:20 PM, Error: Service Control Manager [7022] - The McAfee VirusScan Announcer service hung on starting.
    11/26/2011 8:06:32 PM, Error: Service Control Manager [7043] - The McAfee McShield service did not shut down properly after receiving a preshutdown control.
    11/26/2011 8:00:17 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.115.2351.0 Loading engine version: 1.1.7801.0
    11/26/2011 3:14:35 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.115.2351.0 Loading engine version: 1.1.7801.0
    11/26/2011 11:54:18 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/26/2011 11:34:03 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr Wanarpv6
    11/26/2011 11:33:05 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
    11/26/2011 11:32:40 AM, Error: EventLog [6008] - The previous system shutdown at 11:29:16 AM on 11/26/2011 was unexpected.
    11/26/2011 11:08:30 AM, Error: EventLog [6008] - The previous system shutdown at 11:05:04 AM on 11/26/2011 was unexpected.
    11/25/2011 12:48:55 AM, Error: EventLog [6008] - The previous system shutdown at 3:00:59 PM on 11/24/2011 was unexpected.
    .
    ==== End Of File ===========================
     
  9. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-29 23:56:34
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 WDC_WD1200BEVS-60UST0 rev.01.01A01
    Running: 9gwjwvrw.exe; Driver: C:\Users\owner\AppData\Local\Temp\kgloapow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x881B7498]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x881B74C2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x881B74AE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x881B7484]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8266F982 5 Bytes JMP 881B7488 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    ? C:\Users\owner\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[332] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00910FEF
    .text C:\Windows\system32\svchost.exe[332] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00910000
    .text C:\Windows\system32\svchost.exe[332] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00910FCA
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 00150F18
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 0015005E
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 00150EE9
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 0015008A
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00150F55
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00150FCD
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00150FA8
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00150F33
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00150039
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 00150F97
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00150F7C
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 0015001E
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00150F44
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 0015009B
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00150FDE
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00150FEF
    .text C:\Windows\system32\svchost.exe[332] kernel32.dll!WinExec 775360CF 5 Bytes JMP 00150079
    .text C:\Windows\system32\svchost.exe[332] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00CF0FC3
    .text C:\Windows\system32\svchost.exe[332] msvcrt.dll!system 7704804B 5 Bytes JMP 00CF004E
    .text C:\Windows\system32\svchost.exe[332] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00CF0029
    .text C:\Windows\system32\svchost.exe[332] msvcrt.dll!_open 7704D106 5 Bytes JMP 00CF0000
    .text C:\Windows\system32\svchost.exe[332] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00CF0FDE
    .text C:\Windows\system32\svchost.exe[332] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00CF0FEF
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00D6001E
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00D60FA1
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00D60FEF
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 00D60F7C
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00D60F61
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00D60FC3
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00D60FD4
    .text C:\Windows\system32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00D60FB2
    .text C:\Windows\system32\svchost.exe[332] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00D50000
    .text C:\Windows\system32\svchost.exe[332] WININET.dll!InternetOpenA 775A4E33 5 Bytes JMP 00D40FEF
    .text C:\Windows\system32\svchost.exe[332] WININET.dll!InternetOpenUrlA 775ABFCE 5 Bytes JMP 00D4000A
    .text C:\Windows\system32\svchost.exe[332] WININET.dll!InternetOpenW 775DC02E 5 Bytes JMP 00D40FD4
    .text C:\Windows\system32\svchost.exe[332] WININET.dll!InternetOpenUrlW 7760D70A 5 Bytes JMP 00D40FC3
    .text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00DA0000
    .text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00DA0FE5
    .text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00DA001B
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 00D5008A
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00D50F3A
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 00D50F1F
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 00D500AC
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00D50F66
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00D50FD4
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00D50025
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00D50065
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00D50F77
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 00D50036
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00D50F94
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00D50FAF
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00D50F55
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00D50F0E
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileW 774EB0EB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00D50FEF
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00D5000A
    .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!WinExec 775360CF 5 Bytes JMP 00D5009B
    .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00DB0038
    .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!system 7704804B 5 Bytes JMP 00DB0FAD
    .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00DB0FD9
    .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_open 7704D106 5 Bytes JMP 00DB000C
    .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00DB0FC8
    .text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00DB001D
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77A039AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00DE0FAF
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00DE0FC0
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00DE0FEF
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 00DE0051
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00DE0F9E
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00DE001B
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00DE0000
    .text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00DE0036
    .text C:\Windows\system32\svchost.exe[1208] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00DC0FE5
    .text C:\Windows\system32\svchost.exe[1872] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00220FEF
    .text C:\Windows\system32\svchost.exe[1872] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00220FD4
    .text C:\Windows\system32\svchost.exe[1872] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00220014
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 00210060
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00210F1A
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 00210085
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 00210EF8
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00210F46
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 0021000A
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00210FB9
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 0021003B
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00210F61
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 00210F8D
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00210F72
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00210F9E
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00210F2B
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00210096
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00210FD4
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00210FEF
    .text C:\Windows\system32\svchost.exe[1872] kernel32.dll!WinExec 775360CF 5 Bytes JMP 00210F09
    .text C:\Windows\system32\svchost.exe[1872] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00230055
    .text C:\Windows\system32\svchost.exe[1872] msvcrt.dll!system 7704804B 5 Bytes JMP 00230FCA
    .text C:\Windows\system32\svchost.exe[1872] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 0023003A
    .text C:\Windows\system32\svchost.exe[1872] msvcrt.dll!_open 7704D106 5 Bytes JMP 00230000
    .text C:\Windows\system32\svchost.exe[1872] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00230FE5
    .text C:\Windows\system32\svchost.exe[1872] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00230029
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 007E0069
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 007E003D
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 007E0000
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 007E0058
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 007E0FB6
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 007E001B
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 007E0FE5
    .text C:\Windows\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 007E002C
    .text C:\Windows\system32\svchost.exe[1872] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00240000
    .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00110000
    .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00110FD4
    .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00110FE5
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 000E0F55
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 000E009B
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 000E0F33
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 000E00CA
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 000E0F7A
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 000E001B
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 000E0FCA
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 000E0080
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 000E0F8B
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 000E0FA8
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 000E0054
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 000E0FB9
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 000E0065
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 000E00E5
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 000E0000
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 000E0FEF
    .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!WinExec 775360CF 5 Bytes JMP 000E0F44
    .text C:\Windows\system32\svchost.exe[2268] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 001A0055
    .text C:\Windows\system32\svchost.exe[2268] msvcrt.dll!system 7704804B 5 Bytes JMP 001A0044
    .text C:\Windows\system32\svchost.exe[2268] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 001A0022
    .text C:\Windows\system32\svchost.exe[2268] msvcrt.dll!_open 7704D106 5 Bytes JMP 001A0000
    .text C:\Windows\system32\svchost.exe[2268] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 001A0033
    .text C:\Windows\system32\svchost.exe[2268] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 001A0011
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 002D005B
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 002D0FCA
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 002D0000
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegCreateKeyW 77A1391E 3 Bytes JMP 002D0FAF
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegCreateKeyW + 4 77A13922 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegCreateKeyExW 77A141F1 3 Bytes JMP 002D0F9E
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegCreateKeyExW + 4 77A141F5 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegOpenKeyExA 77A17C42 3 Bytes JMP 002D0025
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegOpenKeyExA + 4 77A17C46 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 3 Bytes JMP 002D0FEF
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegOpenKeyW + 4 77A1E2B9 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 002D0036
    .text C:\Windows\system32\svchost.exe[2268] WS2_32.dll!socket 779A36D1 5 Bytes JMP 001B0FEF
    .text C:\Windows\system32\svchost.exe[2416] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00040FE5
    .text C:\Windows\system32\svchost.exe[2416] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00040FB9
    .text C:\Windows\system32\svchost.exe[2416] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00040FD4
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 0001009D
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00010F61
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 000100B8
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 00010F21
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00010F83
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 0001001B
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 0001002C
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00010F72
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00010051
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 00010FAF
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00010F94
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00010FC0
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00010078
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 000100C9
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 0001000A
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00010FEF
    .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!WinExec 775360CF 5 Bytes JMP 00010F46
    .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00060FB9
    .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!system 7704804B 5 Bytes JMP 00060FCA
    .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 0006003A
    .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_open 7704D106 5 Bytes JMP 00060000
    .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00060FDB
    .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 0006001D
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00070FA8
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00070FC3
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 0007000A
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 00070054
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00070F8D
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00070FEF
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 0007001B
    .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00070FDE
    .text C:\Windows\system32\svchost.exe[2416] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00080000
    .text C:\Windows\system32\svchost.exe[3164] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00240000
    .text C:\Windows\system32\svchost.exe[3164] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00240FD4
    .text C:\Windows\system32\svchost.exe[3164] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00240FE5
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 0008009A
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00080F4A
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 000800C6
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 000800B5
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00080075
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 0008002C
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 0008003D
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00080F65
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00080F9B
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 0008004E
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00080FAC
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00080FD1
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00080F80
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 000800E1
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 0008001B
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 0008000A
    .text C:\Windows\system32\svchost.exe[3164] kernel32.dll!WinExec 775360CF 5 Bytes JMP 00080F2F
    .text C:\Windows\system32\svchost.exe[3164] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 002A0FBC
    .text C:\Windows\system32\svchost.exe[3164] msvcrt.dll!system 7704804B 5 Bytes JMP 002A003D
    .text C:\Windows\system32\svchost.exe[3164] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 002A0022
    .text C:\Windows\system32\svchost.exe[3164] msvcrt.dll!_open 7704D106 5 Bytes JMP 002A0000
    .text C:\Windows\system32\svchost.exe[3164] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 002A0FCD
    .text C:\Windows\system32\svchost.exe[3164] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 002A0011
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegCreateKeyExA 77A039AB 3 Bytes JMP 002C0F97
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegCreateKeyExA + 4 77A039AF 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegCreateKeyA 77A03BA9 3 Bytes JMP 002C0FB9
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegCreateKeyA + 4 77A03BAD 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegOpenKeyA 77A089C7 3 Bytes JMP 002C0FEF
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegOpenKeyA + 4 77A089CB 1 Byte [88]
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 002C0FA8
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 002C004A
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 002C001B
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 002C000A
    .text C:\Windows\system32\svchost.exe[3164] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 002C0FD4
    .text C:\Windows\system32\svchost.exe[3164] WS2_32.dll!socket 779A36D1 5 Bytes JMP 002B0FEF
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3300] USER32.dll!GetWindowInfo 7734428E 5 Bytes JMP 55B4E363 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3300] USER32.dll!TrackPopupMenu 773514F3 5 Bytes JMP 55B4E91C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Windows\system32\svchost.exe[3444] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 008C0000
    .text C:\Windows\system32\svchost.exe[3444] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 008C0FD4
    .text C:\Windows\system32\svchost.exe[3444] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 008C0FE5
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 001D00CE
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 001D0F88
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 001D0104
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 001D0F6D
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 001D0FB4
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 001D0025
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 001D0036
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 001D00B3
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 001D008E
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 001D006C
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 001D007D
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 001D0051
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 001D0FA3
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 001D0129
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 001D000A
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 001D0FEF
    .text C:\Windows\system32\svchost.exe[3444] kernel32.dll!WinExec 775360CF 5 Bytes JMP 001D00E9
    .text C:\Windows\system32\svchost.exe[3444] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00950055
    .text C:\Windows\system32\svchost.exe[3444] msvcrt.dll!system 7704804B 5 Bytes JMP 00950044
    .text C:\Windows\system32\svchost.exe[3444] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00950022
    .text C:\Windows\system32\svchost.exe[3444] msvcrt.dll!_open 7704D106 5 Bytes JMP 00950000
    .text C:\Windows\system32\svchost.exe[3444] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00950033
    .text C:\Windows\system32\svchost.exe[3444] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00950011
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 01020040
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 01020FAF
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 01020FEF
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 01020F9E
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 0102005B
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 01020FCA
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 0102000A
    .text C:\Windows\system32\svchost.exe[3444] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 0102001B
    .text C:\Windows\system32\svchost.exe[3444] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00DF000A
    .text C:\Windows\System32\svchost.exe[3556] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00060000
    .text C:\Windows\System32\svchost.exe[3556] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00060FCA
    .text C:\Windows\System32\svchost.exe[3556] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00060FDB
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 000500B1
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00050F6B
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 00050F46
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 000500DD
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00050F86
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00050014
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00050FC3
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00050096
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00050F97
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 00050054
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00050FA8
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00050039
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00050085
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 000500F8
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00050FDE
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00050FEF
    .text C:\Windows\System32\svchost.exe[3556] kernel32.dll!WinExec 775360CF 5 Bytes JMP 000500CC
    .text C:\Windows\System32\svchost.exe[3556] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00070F9A
    .text C:\Windows\System32\svchost.exe[3556] msvcrt.dll!system 7704804B 5 Bytes JMP 00070FAB
    .text C:\Windows\System32\svchost.exe[3556] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00070011
    .text C:\Windows\System32\svchost.exe[3556] msvcrt.dll!_open 7704D106 5 Bytes JMP 00070FE3
    .text C:\Windows\System32\svchost.exe[3556] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00070FBC
    .text C:\Windows\System32\svchost.exe[3556] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00070000
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 000C0F83
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 000C0F9E
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 000C0000
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 000C002F
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 000C0040
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 000C0FD4
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 000C0FE5
    .text C:\Windows\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 000C0FB9
    .text C:\Windows\System32\svchost.exe[3556] WS2_32.dll!socket 779A36D1 5 Bytes JMP 001C0FE5
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[4068] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 708F9A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[4068] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 708F99A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00040FE5
    .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 0004000A
    .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00040FD4
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 00010098
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00010087
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 000100D1
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 00010F30
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00010058
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00010011
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00010FC0
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00010F52
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00010F8A
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 0001002C
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00010047
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00010FAF
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00010F6D
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00010F1F
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00010000
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00010FE5
    .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!WinExec 775360CF 5 Bytes JMP 00010F41
    .text C:\Windows\system32\svchost.exe[4976] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00060FAD
    .text C:\Windows\system32\svchost.exe[4976] msvcrt.dll!system 7704804B 5 Bytes JMP 00060038
    .text C:\Windows\system32\svchost.exe[4976] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 0006001D
    .text C:\Windows\system32\svchost.exe[4976] msvcrt.dll!_open 7704D106 5 Bytes JMP 00060FE3
    .text C:\Windows\system32\svchost.exe[4976] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00060FC8
    .text C:\Windows\system32\svchost.exe[4976] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 0006000C
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00070FB6
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 0007004E
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00070000
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 00070FC7
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00070069
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 0007002C
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00070011
    .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 0007003D
    .text C:\Windows\system32\svchost.exe[4976] WS2_32.dll!socket 779A36D1 5 Bytes JMP 002B0FEF
    .text C:\Windows\system32\svchost.exe[5384] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00040FEF
    .text C:\Windows\system32\svchost.exe[5384] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 0004001E
    .text C:\Windows\system32\svchost.exe[5384] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00040FDE
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 000100BA
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 0001009F
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreateProcessW 774A1BF3 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 000100F7
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 000100E6
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00010F8F
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 0001001B
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 0001002C
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00010F74
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00010073
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 0001003D
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00010062
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00010FC0
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00010084
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00010F45
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 0001000A
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00010FEF
    .text C:\Windows\system32\svchost.exe[5384] kernel32.dll!WinExec 775360CF 5 Bytes JMP 000100D5
    .text C:\Windows\system32\svchost.exe[5384] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00060FB7
    .text C:\Windows\system32\svchost.exe[5384] msvcrt.dll!system 7704804B 5 Bytes JMP 00060042
    .text C:\Windows\system32\svchost.exe[5384] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00060FD2
    .text C:\Windows\system32\svchost.exe[5384] msvcrt.dll!_open 7704D106 5 Bytes JMP 00060000
    .text C:\Windows\system32\svchost.exe[5384] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00060027
    .text C:\Windows\system32\svchost.exe[5384] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00060FEF
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 0007002F
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00070FA8
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00070000
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 00070F8D
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00070F68
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00070FCA
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00070FDB
    .text C:\Windows\system32\svchost.exe[5384] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00070FB9
    .text C:\Windows\system32\svchost.exe[5384] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00080000
    .text C:\Windows\Explorer.EXE[6364] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00040000
    .text C:\Windows\Explorer.EXE[6364] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 0004001B
    .text C:\Windows\Explorer.EXE[6364] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00040FDB
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 000100DA
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00010F94
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 00010117
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 00010106
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 0001009D
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00010025
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 0001004A
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 000100C9
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00010FB9
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 00010FD4
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00010076
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 0001005B
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 000100AE
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00010132
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00010014
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00010FEF
    .text C:\Windows\Explorer.EXE[6364] kernel32.dll!WinExec 775360CF 5 Bytes JMP 000100EB
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00060039
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00060014
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00060FEF
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 00060F8D
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00060F72
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00060FC3
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00060FD4
    .text C:\Windows\Explorer.EXE[6364] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00060FB2
    .text C:\Windows\Explorer.EXE[6364] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00070038
    .text C:\Windows\Explorer.EXE[6364] msvcrt.dll!system 7704804B 5 Bytes JMP 0007001D
    .text C:\Windows\Explorer.EXE[6364] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00070FD2
    .text C:\Windows\Explorer.EXE[6364] msvcrt.dll!_open 7704D106 5 Bytes JMP 00070FEF
    .text C:\Windows\Explorer.EXE[6364] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00070FB7
    .text C:\Windows\Explorer.EXE[6364] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 0007000C
    .text C:\Windows\Explorer.EXE[6364] WININET.dll!InternetOpenA 775A4E33 5 Bytes JMP 01B40FE5
    .text C:\Windows\Explorer.EXE[6364] WININET.dll!InternetOpenUrlA 775ABFCE 5 Bytes JMP 01B40FC3
    .text C:\Windows\Explorer.EXE[6364] WININET.dll!InternetOpenW 775DC02E 5 Bytes JMP 01B40FD4
    .text C:\Windows\Explorer.EXE[6364] WININET.dll!InternetOpenUrlW 7760D70A 5 Bytes JMP 01B40FB2
    .text C:\Windows\Explorer.EXE[6364] WS2_32.dll!socket 779A36D1 5 Bytes JMP 03B20FEF
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6376] ntdll.dll!LdrLoadDll 778893A8 5 Bytes JMP 559D2EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Windows\system32\services.exe[7652] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 001C000A
    .text C:\Windows\system32\services.exe[7652] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 001C0FE5
    .text C:\Windows\system32\services.exe[7652] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 001C001B
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 00370098
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00370087
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 003700DF
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 003700CE
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 00370051
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00370FCD
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00370FB2
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00370F5C
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00370040
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 0037001E
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 0037002F
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00370FA1
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00370062
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 003700FA
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00370FDE
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00370FEF
    .text C:\Windows\system32\services.exe[7652] kernel32.dll!WinExec 775360CF 5 Bytes JMP 003700A9
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00990FB6
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00990051
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00990000
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 00990062
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 0099007D
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00990025
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00990FEF
    .text C:\Windows\system32\services.exe[7652] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00990040
    .text C:\Windows\system32\services.exe[7652] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00360FAB
    .text C:\Windows\system32\services.exe[7652] msvcrt.dll!system 7704804B 5 Bytes JMP 00360FBC
    .text C:\Windows\system32\services.exe[7652] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00360FCD
    .text C:\Windows\system32\services.exe[7652] msvcrt.dll!_open 7704D106 5 Bytes JMP 00360FEF
    .text C:\Windows\system32\services.exe[7652] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 0036002C
    .text C:\Windows\system32\services.exe[7652] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00360FDE
    .text C:\Windows\system32\services.exe[7652] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00980FEF
    .text C:\Windows\system32\lsass.exe[7664] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 001B0FE5
    .text C:\Windows\system32\lsass.exe[7664] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 001B001B
    .text C:\Windows\system32\lsass.exe[7664] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 001B0000
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 00320098
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00320F5C
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 003200BA
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 00320F23
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 0032006C
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00320025
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00320036
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00320F6D
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00320F94
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 00320047
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00320FA5
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00320FC0
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 0032007D
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00320F08
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreateFileW 774EB0EB 1 Byte [E9]
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00320FEF
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 0032000A
    .text C:\Windows\system32\lsass.exe[7664] kernel32.dll!WinExec 775360CF 5 Bytes JMP 003200A9
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 008D0087
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 008D0FDB
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 008D0000
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 008D0062
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 008D00A2
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 008D002C
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 008D0011
    .text C:\Windows\system32\lsass.exe[7664] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 008D003D
    .text C:\Windows\system32\lsass.exe[7664] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 001D003D
    .text C:\Windows\system32\lsass.exe[7664] msvcrt.dll!system 7704804B 5 Bytes JMP 001D002C
    .text C:\Windows\system32\lsass.exe[7664] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 001D0FC3
    .text C:\Windows\system32\lsass.exe[7664] msvcrt.dll!_open 7704D106 5 Bytes JMP 001D0FEF
    .text C:\Windows\system32\lsass.exe[7664] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 001D0FB2
    .text C:\Windows\system32\lsass.exe[7664] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 001D0FDE
    .text C:\Windows\system32\lsass.exe[7664] WS2_32.dll!socket 779A36D1 5 Bytes JMP 008C0FE5
    .text C:\Windows\system32\svchost.exe[7820] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00210000
    .text C:\Windows\system32\svchost.exe[7820] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00210FDE
    .text C:\Windows\system32\svchost.exe[7820] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00210FEF
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 006F0F7C
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 006F00C2
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 006F00E7
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 006F0F5A
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 006F0F9E
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 006F0025
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 006F0036
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 006F009D
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 006F0FB9
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 006F0FCA
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 006F006C
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 006F0047
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 006F0F8D
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 006F0F2B
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 006F000A
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 006F0FEF
    .text C:\Windows\system32\svchost.exe[7820] kernel32.dll!WinExec 775360CF 5 Bytes JMP 006F0F6B
    .text C:\Windows\system32\svchost.exe[7820] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00220FC8
    .text C:\Windows\system32\svchost.exe[7820] msvcrt.dll!system 7704804B 5 Bytes JMP 00220053
    .text C:\Windows\system32\svchost.exe[7820] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00220FE3
    .text C:\Windows\system32\svchost.exe[7820] msvcrt.dll!_open 7704D106 5 Bytes JMP 00220000
    .text C:\Windows\system32\svchost.exe[7820] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00220038
    .text C:\Windows\system32\svchost.exe[7820] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 0022001D
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00750076
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00750040
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00750FEF
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 0075005B
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00750FB9
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00750025
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00750000
    .text C:\Windows\system32\svchost.exe[7820] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00750FD4
    .text C:\Windows\system32\svchost.exe[7820] WS2_32.dll!socket 779A36D1 5 Bytes JMP 0074000A
    .text C:\Windows\system32\svchost.exe[7896] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 000F0000
    .text C:\Windows\system32\svchost.exe[7896] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 000F001B
    .text C:\Windows\system32\svchost.exe[7896] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 000F0FE5
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 008D0F68
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 008D00B8
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 008D0F21
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 008D0F32
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 008D0F94
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 008D0FCA
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 008D001B
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 008D0093
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 008D006E
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 008D0036
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 008D0047
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 008D0FA5
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 008D0F83
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 008D00C9
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreateFileW 774EB0EB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 008D0FEF
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 008D000A
    .text C:\Windows\system32\svchost.exe[7896] kernel32.dll!WinExec 775360CF 5 Bytes JMP 008D0F57
    .text C:\Windows\system32\svchost.exe[7896] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 008C0F7F
    .text C:\Windows\system32\svchost.exe[7896] msvcrt.dll!system 7704804B 5 Bytes JMP 008C0F9A
    .text C:\Windows\system32\svchost.exe[7896] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 008C0FBC
    .text C:\Windows\system32\svchost.exe[7896] msvcrt.dll!_open 7704D106 5 Bytes JMP 008C0FE3
    .text C:\Windows\system32\svchost.exe[7896] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 008C0FAB
    .text C:\Windows\system32\svchost.exe[7896] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 008C0000
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 008F0036
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 008F0F9E
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 008F0000
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 008F001B
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 008F0F6F
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 008F0FCA
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 008F0FE5
    .text C:\Windows\system32\svchost.exe[7896] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 008F0FB9
    .text C:\Windows\system32\svchost.exe[7896] WS2_32.dll!socket 779A36D1 5 Bytes JMP 008E0000
    .text C:\Windows\System32\svchost.exe[7956] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 000D0FEF
    .text C:\Windows\System32\svchost.exe[7956] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 000D0FCA
    .text C:\Windows\System32\svchost.exe[7956] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 000D000A
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 001300B1
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00130F75
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 00130F24
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 00130F35
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 0013007B
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 00130FC3
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 0013001E
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00130F86
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 00130060
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 0013002F
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 00130F97
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00130FA8
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 00130096
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00130F13
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00130FDE
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00130FEF
    .text C:\Windows\System32\svchost.exe[7956] kernel32.dll!WinExec 775360CF 5 Bytes JMP 00130F46
    .text C:\Windows\System32\svchost.exe[7956] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 000E004E
    .text C:\Windows\System32\svchost.exe[7956] msvcrt.dll!system 7704804B 5 Bytes JMP 000E0FC3
    .text C:\Windows\System32\svchost.exe[7956] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 000E0033
    .text C:\Windows\System32\svchost.exe[7956] msvcrt.dll!_open 7704D106 5 Bytes JMP 000E0000
    .text C:\Windows\System32\svchost.exe[7956] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 000E0FDE
    .text C:\Windows\System32\svchost.exe[7956] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 000E0FEF
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00660FB9
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00660FCA
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00660000
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 0066005B
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 0066006C
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00660FDB
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00660011
    .text C:\Windows\System32\svchost.exe[7956] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 0066002C
    .text C:\Windows\System32\svchost.exe[7956] WS2_32.dll!socket 779A36D1 5 Bytes JMP 00150FEF
    .text C:\Windows\System32\svchost.exe[7956] WININET.dll!InternetOpenA 775A4E33 5 Bytes JMP 00140000
    .text C:\Windows\System32\svchost.exe[7956] WININET.dll!InternetOpenUrlA 775ABFCE 5 Bytes JMP 00140FE5
    .text C:\Windows\System32\svchost.exe[7956] WININET.dll!InternetOpenW 775DC02E 5 Bytes JMP 0014001B
    .text C:\Windows\System32\svchost.exe[7956] WININET.dll!InternetOpenUrlW 7760D70A 5 Bytes JMP 00140036
    .text C:\Windows\System32\svchost.exe[7984] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 00690FE5
    .text C:\Windows\System32\svchost.exe[7984] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 00690FCA
    .text C:\Windows\System32\svchost.exe[7984] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 00690000
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 006700C7
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 00670F81
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 00670118
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 006700F3
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 0067007D
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 0067002F
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 00670FD4
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 00670F92
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 0067006C
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 0067004A
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 0067005B
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 00670FC3
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 006700A2
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 00670129
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreateFileW 774EB0EB 1 Byte [E9]
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 00670FEF
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 00670000
    .text C:\Windows\System32\svchost.exe[7984] kernel32.dll!WinExec 775360CF 5 Bytes JMP 006700D8
    .text C:\Windows\System32\svchost.exe[7984] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 00910020
    .text C:\Windows\System32\svchost.exe[7984] msvcrt.dll!system 7704804B 5 Bytes JMP 00910F95
    .text C:\Windows\System32\svchost.exe[7984] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 00910FC1
    .text C:\Windows\System32\svchost.exe[7984] msvcrt.dll!_open 7704D106 5 Bytes JMP 00910FEF
    .text C:\Windows\System32\svchost.exe[7984] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 00910FA6
    .text C:\Windows\System32\svchost.exe[7984] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 00910FD2
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 00930FA8
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 00930FB9
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 00930FEF
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 0093004A
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 00930F8D
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 00930014
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 00930FDE
    .text C:\Windows\System32\svchost.exe[7984] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 00930025
    .text C:\Windows\System32\svchost.exe[7984] WS2_32.dll!socket 779A36D1 5 Bytes JMP 0092000A
    .text C:\Windows\system32\svchost.exe[8028] ntdll.dll!NtCreateFile 778C4224 5 Bytes JMP 01060000
    .text C:\Windows\system32\svchost.exe[8028] ntdll.dll!NtCreateProcess 778C42E4 5 Bytes JMP 01060FD4
    .text C:\Windows\system32\svchost.exe[8028] ntdll.dll!NtProtectVirtualMemory 778C4B84 5 Bytes JMP 01060FE5
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!GetStartupInfoW 774A1929 5 Bytes JMP 0105006C
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!GetStartupInfoA 774A19C9 5 Bytes JMP 01050F1C
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!CreateProcessW 774A1BF3 5 Bytes JMP 0105009F
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!CreateProcessA 774A1C28 5 Bytes JMP 0105008E
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!VirtualProtect 774A1DC3 5 Bytes JMP 0105002C
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!CreateNamedPipeA 774A2EF5 5 Bytes JMP 01050000
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!CreateNamedPipeW 774A5C0C 5 Bytes JMP 0105001B
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!CreatePipe 774C8F06 5 Bytes JMP 01050F37
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!LoadLibraryExW 774C927C 5 Bytes JMP 01050F5E
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!LoadLibraryW 774C9400 5 Bytes JMP 01050F8A
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!LoadLibraryExA 774C9554 5 Bytes JMP 01050F6F
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!LoadLibraryA 774C957C 5 Bytes JMP 01050FAF
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!VirtualProtectEx 774CDC52 5 Bytes JMP 0105003D
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!GetProcAddress 774E925B 5 Bytes JMP 01050EF7
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!CreateFileW 774EB0EB 5 Bytes JMP 01050FD4
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!CreateFileA 774ED07F 5 Bytes JMP 01050FEF
    .text C:\Windows\system32\svchost.exe[8028] kernel32.dll!WinExec 775360CF 5 Bytes JMP 0105007D
    .text C:\Windows\system32\svchost.exe[8028] msvcrt.dll!_wsystem 77047F2F 5 Bytes JMP 010F0FBC
    .text C:\Windows\system32\svchost.exe[8028] msvcrt.dll!system 7704804B 5 Bytes JMP 010F0FCD
    .text C:\Windows\system32\svchost.exe[8028] msvcrt.dll!_creat 7704BBE1 5 Bytes JMP 010F0FDE
    .text C:\Windows\system32\svchost.exe[8028] msvcrt.dll!_open 7704D106 5 Bytes JMP 010F0000
    .text C:\Windows\system32\svchost.exe[8028] msvcrt.dll!_wcreat 7704D326 5 Bytes JMP 010F0033
    .text C:\Windows\system32\svchost.exe[8028] msvcrt.dll!_wopen 7704D501 5 Bytes JMP 010F0FEF
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegCreateKeyExA 77A039AB 5 Bytes JMP 01110F8A
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegCreateKeyA 77A03BA9 5 Bytes JMP 01110FAF
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegOpenKeyA 77A089C7 5 Bytes JMP 01110000
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegCreateKeyW 77A1391E 5 Bytes JMP 01110036
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegCreateKeyExW 77A141F1 5 Bytes JMP 01110047
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegOpenKeyExA 77A17C42 5 Bytes JMP 0111001B
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegOpenKeyW 77A1E2B5 5 Bytes JMP 01110FE5
    .text C:\Windows\system32\svchost.exe[8028] ADVAPI32.dll!RegOpenKeyExW 77A27BA1 5 Bytes JMP 01110FCA
    .text C:\Windows\system32\svchost.exe[8028] WS2_32.dll!socket 779A36D1 5 Bytes JMP 01100000
    .text C:\Windows\system32\svchost.exe[8028] WININET.dll!InternetOpenA 775A4E33 5 Bytes JMP 01320FE5
    .text C:\Windows\system32\svchost.exe[8028] WININET.dll!InternetOpenUrlA 775ABFCE 5 Bytes JMP 01320000
    .text C:\Windows\system32\svchost.exe[8028] WININET.dll!InternetOpenW 775DC02E 5 Bytes JMP 01320FCA
    .text C:\Windows\system32\svchost.exe[8028] WININET.dll!InternetOpenUrlW 7760D70A 5 Bytes JMP 01320FB9

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,895
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  11. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:08:20 PM, on 12/1/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Windows\system32\cmd.exe
    C:\Program Files\Verizon Wireless\mp3_downloadmanager_service.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\owner\Downloads\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
    O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111112194408.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [AgentMonitor] C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [DownloadManagerService] "C:\Program Files\Verizon Wireless\dist\servicerunner.exe" /action:startService
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
    --
    End of file - 8258 bytes


    ComboFix 11-12-01.03 - owner 12/01/2011 20:02:06.5.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1161 [GMT -5:00]
    Running from: c:\users\owner\Desktop\folder\puppy.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-02 to 2011-12-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-02 01:16 . 2011-12-02 01:17 -------- d-----w- c:\users\owner\AppData\Local\temp
    2011-12-02 01:16 . 2011-12-02 01:16 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-12-02 01:16 . 2011-12-02 01:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-01 03:21 . 2011-12-01 03:21 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13160B50-5FBE-46A3-BE28-3AEFBD7BE9A4}\offreg.dll
    2011-11-29 21:43 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13160B50-5FBE-46A3-BE28-3AEFBD7BE9A4}\mpengine.dll
    2011-11-29 04:05 . 2011-11-29 04:05 -------- d-----w- c:\users\owner\AppData\Roaming\com.verizon.mediastore.vzwdownloadmanager.BEEF85639ECFAE88C004EA3A5F976EE5386C7526.1
    2011-11-29 04:05 . 2011-11-29 04:05 -------- d-----w- c:\program files\MP3DownloadManager
    2011-11-29 04:04 . 2011-11-29 04:05 -------- d-----w- c:\program files\Verizon Wireless
    2011-11-29 04:04 . 2011-11-29 04:04 -------- d-----w- c:\program files\Common Files\i4j_jres
    2011-11-15 02:33 . 2011-11-15 02:33 -------- d-----w- c:\users\owner\AppData\Local\cache
    2011-11-15 02:32 . 2011-11-15 02:32 -------- d-----w- c:\program files\VTech
    2011-11-15 02:32 . 2011-11-15 02:32 -------- d-----w- c:\programdata\VTech
    2011-11-13 00:38 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-11-13 00:32 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-13 00:32 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
    2011-11-09 02:51 . 2011-11-09 02:53 -------- d-----w- c:\program files\Microsoft Security Client
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-27 00:38 . 2011-05-27 12:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 19:32 . 2010-12-26 06:33 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-15 18:16 . 2010-12-26 06:34 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 18:16 . 2010-12-26 06:33 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 18:16 . 2010-12-26 06:33 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 18:16 . 2010-12-26 06:33 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-10-15 18:16 . 2009-06-17 22:26 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 18:16 . 2009-06-17 22:26 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-09-06 13:30 . 2011-10-12 01:35 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 06:53 . 2011-11-13 03:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 18:01 . 2010-12-26 06:34 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_02.18.22 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 01:58 . 2011-12-01 03:51 81596 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 13:05 . 2011-12-01 03:51 60520 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-04-26 20:16 . 2011-12-01 03:51 19256 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-347521292-1111725995-1454621516-1000_UserData.bin
    + 2009-04-26 20:12 . 2011-12-02 00:56 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-04-26 20:12 . 2011-11-30 21:07 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-07-25 20:56 . 2011-12-02 00:56 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-07-25 20:56 . 2011-11-30 21:07 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-04-26 20:12 . 2011-12-02 00:56 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-04-26 20:12 . 2011-11-30 21:07 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-11-28 11:02 . 2011-11-28 11:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-01 03:21 . 2011-12-01 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-01 03:21 . 2011-12-01 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-11-28 11:02 . 2011-11-28 11:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-04-28 21:01 . 2011-12-01 11:09 313098 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
    + 2009-04-28 05:30 . 2011-12-01 21:50 335548 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-05-09 11:43 . 2011-12-01 23:59 376832 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-05-09 11:43 . 2011-11-30 21:07 376832 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2011-03-06 19:27 . 2011-11-28 03:54 412712 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-03-06 19:27 . 2011-12-01 03:09 412712 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-08-09 04:17 . 2011-11-28 03:54 1719312 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-347521292-1111725995-1454621516-1000-8192.dat
    + 2011-08-09 04:17 . 2011-12-01 03:09 1719312 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-347521292-1111725995-1454621516-1000-8192.dat
    - 2011-08-09 04:17 . 2011-11-27 04:45 4609690 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-347521292-1111725995-1454621516-1000-4096.dat
    + 2011-08-09 04:17 . 2011-12-01 03:09 4609690 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-347521292-1111725995-1454621516-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AgentMonitor"="c:\program files\VTech\DownloadManager\System\AgentMonitor.exe" [2011-11-11 351144]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "DownloadManagerService"="c:\program files\Verizon Wireless\dist\servicerunner.exe" [2011-05-18 94008]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2009-07-26 18:10 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2009-03-17 16:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2008-06-16 12:03 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-03-12 17:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility]
    2009-05-19 21:11 136544 ----a-w- c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
    2009-02-03 17:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-07-23 19:39 13797920 ----a-w- c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
    2008-03-14 15:45 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2009-09-08 18:18 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-04-17 18:05 1049896 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    R3 cpuz134;cpuz134;c:\users\owner\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [x]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-15 87656]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-10-15 64880]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-15 165680]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-08-10 94880]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 160608]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-18 150856]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-15 338176]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\cvqlo54n.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-01 20:17
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-12-01 20:28:36
    ComboFix-quarantined-files.txt 2011-12-02 01:28
    ComboFix2.txt 2011-12-01 02:30
    ComboFix3.txt 2011-07-13 18:27
    .
    Pre-Run: 52,947,292,160 bytes free
    Post-Run: 52,898,209,792 bytes free
    .
    - - End Of File - - 4ED9FF1C8D2F599579C4F5F5957890D9
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,895
    First Name:
    Karen
    It's looks like you've run ComboFix more than once. I'd like to see this log as well please:

    C:\qoobox\ComboFix2.txt
     
  13. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    I believe I did something wrong and decided to start over. Here it is.

    ComboFix 11-11-30.03 - owner 11/30/2011 21:03:23.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.731 [GMT -5:00]
    Running from: c:\users\owner\Desktop\puppy.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-01 to 2011-12-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-01 02:17 . 2011-12-01 02:18 -------- d-----w- c:\users\owner\AppData\Local\temp
    2011-12-01 02:17 . 2011-12-01 02:17 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-12-01 02:17 . 2011-12-01 02:17 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-11-29 21:43 . 2011-11-29 21:43 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13160B50-5FBE-46A3-BE28-3AEFBD7BE9A4}\offreg.dll
    2011-11-29 21:43 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13160B50-5FBE-46A3-BE28-3AEFBD7BE9A4}\mpengine.dll
    2011-11-29 04:05 . 2011-11-29 04:05 -------- d-----w- c:\users\owner\AppData\Roaming\com.verizon.mediastore.vzwdownloadmanager.BEEF85639ECFAE88C004EA3A5F976EE5386C7526.1
    2011-11-29 04:05 . 2011-11-29 04:05 -------- d-----w- c:\program files\MP3DownloadManager
    2011-11-29 04:04 . 2011-11-29 04:05 -------- d-----w- c:\program files\Verizon Wireless
    2011-11-29 04:04 . 2011-11-29 04:04 -------- d-----w- c:\program files\Common Files\i4j_jres
    2011-11-15 02:33 . 2011-11-15 02:33 -------- d-----w- c:\users\owner\AppData\Local\cache
    2011-11-15 02:32 . 2011-11-15 02:32 -------- d-----w- c:\program files\VTech
    2011-11-15 02:32 . 2011-11-15 02:32 -------- d-----w- c:\programdata\VTech
    2011-11-13 00:38 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-11-13 00:32 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-13 00:32 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
    2011-11-09 02:51 . 2011-11-09 02:53 -------- d-----w- c:\program files\Microsoft Security Client
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-27 00:38 . 2011-05-27 12:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 19:32 . 2010-12-26 06:33 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-15 18:16 . 2010-12-26 06:34 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 18:16 . 2010-12-26 06:33 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 18:16 . 2010-12-26 06:33 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 18:16 . 2010-12-26 06:33 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 18:16 . 2010-12-26 06:33 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-10-15 18:16 . 2009-06-17 22:26 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 18:16 . 2009-06-17 22:26 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-09-06 13:30 . 2011-10-12 01:35 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 06:53 . 2011-11-13 03:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 18:01 . 2010-12-26 06:34 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AgentMonitor"="c:\program files\VTech\DownloadManager\System\AgentMonitor.exe" [2011-11-11 351144]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "DownloadManagerService"="c:\program files\Verizon Wireless\dist\servicerunner.exe" [2011-05-18 94008]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2009-07-26 18:10 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2009-03-17 16:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2008-06-16 12:03 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-03-12 17:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility]
    2009-05-19 21:11 136544 ----a-w- c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
    2009-02-03 17:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-07-23 19:39 13797920 ----a-w- c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
    2008-03-14 15:45 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2009-09-08 18:18 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-04-17 18:05 1049896 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    R3 cpuz134;cpuz134;c:\users\owner\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [x]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-15 87656]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-10-15 64880]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-15 165680]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-08-10 94880]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 160608]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-18 150856]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-15 338176]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - KGLOAPOW
    *Deregistered* - kgloapow
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\cvqlo54n.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-30 21:18
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\users\owner\AppData\Local\Temp\catchme.dll 53248 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-11-30 21:29:57
    ComboFix-quarantined-files.txt 2011-12-01 02:29
    ComboFix2.txt 2011-07-13 18:27
    .
    Pre-Run: 52,828,217,344 bytes free
    Post-Run: 53,073,887,232 bytes free
    .
    - - End Of File - - 75E2570B56FC9026E3A8C55CDADD808E
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,451
    First Name:
    Derek
    That all looks fine now, with no obvious signs of any malware any longer
    Are you getting any problems or have they all stopped now
     
  15. kjsimpson1

    kjsimpson1 Thread Starter

    Joined:
    Jul 6, 2011
    Messages:
    41
    hi dvk01, as far as the system, something does seem strange. After I ran the combofix, firefox stopped working properly as well as internet explorer. Both run extremely slow. I decided to uninstall firefox and i will re-install later but as for now, it's like torture running internet explorer. I like to listen to Pandora on my laptop, but after all this, now it freezes (this is in I.E.), I shut it down, try to relaunch and nothing comes up. It's not just pandora, I've tried Yahoo, my bank's website and nothing so I think there's a problem with my internet explorer or something. So far I've had to completely shut down, restart, then I can get launch the browzer properly...until it freezes again.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1028573

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice