Browser Hijacked

[eighteyedspy]

I am pretty much having the same problem as everyone else that has posted. I keep getting redirected to whitepages, asklots, and a whole host of other useless junk sites. I have run spybot, spyware blaster, adaware, IObit, and a whole bunch of other stuff to no avail. This is my first time trying the forums so if I screw up, kindly slap me and I will try again. I have disabled my tea-timer, backed up with ERUNT and am now posting my HJT. Any help, I mean any, will be greatly appreciated.

Thanks.


9:24 PM 11/19/2009Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:18 PM, on 11/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\VeXpLite\MONLITE.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe
C:\VeXpLite\viritsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\hp\kbd\kbd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...home&locale=EN_US&c=71&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VeXpLite\MONLITE.EXE
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FBSMTWB; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.nickjr.com/playtime/shows/dora/games/dora_pyramid.jhtml"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Update Service (gupdate1c9e122120b6107) (gupdate1c9e122120b6107) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VirIT eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VeXpLite\viritsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14228 bytes

 

[Blade81]

Hi,

Please see this regarding Iobit.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log in your reply.

 

[eighteyedspy]

Hey,

Thanks for the response. Ran both apps, but did not see a file called attach.txt. Does dds cause the computer to reboot? Didn't know if that was normal or an error. I disabled scripting through McAfee so I hope it produces the info you need. I am posting the dds.txt log and the gmer log. I have to do two posts, one for each log because they contain too many characters. I know the holidays are coming up so I am in no hurry for a response. I am just grateful to be receiving help at all. Let me know if the logs I'm posting are no good or if you need any further info. Thanks again and Happy Holidays.




DDS (Ver_09-11-23.01) - NTFSx86
Run by The Coppola's at 15:49:25.54 on Mon 11/23/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.116 [GMT -5:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\VeXpLite\MONLITE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\VeXpLite\viritsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\The Coppola's\Desktop\dds.scr
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

 

[eighteyedspy]

And the GMER(pt. 1)

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-23 18:32:07
Windows 6.0.6001 Service Pack 1
Running: jkgs2plg.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8BBA779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8BBA7738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8BBA774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8BBA77DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8BBA7710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8BBA7724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8BBA77B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8BBA778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8BBA7776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8BBA780B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8BBA77F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8BBA77C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8BBA7762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81E69190 5 Bytes JMP 8BBA77CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 8200ADD5 5 Bytes JMP 8BBA7766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82024F8A 5 Bytes JMP 8BBA780F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 820441D4 5 Bytes JMP 8BBA7728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82053B10 1 Byte [E9]
PAGE ntkrnlpa.exe!NtOpenProcess 82053B10 5 Bytes JMP 8BBA7714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8206674E 7 Bytes JMP 8BBA77E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82066DA5 5 Bytes JMP 8BBA77F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82068FB6 5 Bytes JMP 8BBA77A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82076674 5 Bytes JMP 8BBA777A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 820788CE 7 Bytes JMP 8BBA77B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820D61AF 5 Bytes JMP 8BBA773C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820D61FA 7 Bytes JMP 8BBA7750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820D6CB7 5 Bytes JMP 8BBA778E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82ACB02C]
.text ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[12] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\taskeng.exe[12] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\taskeng.exe[12] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\Explorer.EXE[272] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 03820087
.text C:\Windows\Explorer.EXE[272] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 03820076
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 03820F12
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 038200B4
.text C:\Windows\Explorer.EXE[272] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 03820F82
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 03820036
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 0382005B
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 03820FAF
.text C:\Windows\Explorer.EXE[272] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 03820F67
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 03820F9E
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 03820FCA
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 03820F4C
.text C:\Windows\Explorer.EXE[272] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 03820EF7
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 0382001B
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 03820000
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 03820FE5
.text C:\Windows\Explorer.EXE[272] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 03820098
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 037D0FA1
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 037D0FC3
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 037D0000
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 037D0FB2
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 037D0F86
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 037D0025
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 037D0FEF
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 037D0FD4
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 037C004C
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!system 77518B63 5 Bytes JMP 037C0FB7
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 037C0FD2
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 037C000C
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 037C0027
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 037C0FEF
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 024F0FEF
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 024F000A
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 024F0025
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 024F0036
.text C:\Windows\Explorer.EXE[272] WS2_32.dll!socket 77B936D1 5 Bytes JMP 03830FEF
.text C:\Windows\system32\services.exe[704] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 006A0F6A
.text C:\Windows\system32\services.exe[704] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 006A00A6
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 006A0F3E
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 006A00D5
.text C:\Windows\system32\services.exe[704] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 006A005F
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 006A0FC0
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 006A0F91
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 006A0033
.text C:\Windows\system32\services.exe[704] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 006A007A
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 006A0044
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 006A0022
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 006A008B
.text C:\Windows\system32\services.exe[704] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 006A00F0
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 006A0011
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 006A0000
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 006A0FDB
.text C:\Windows\system32\services.exe[704] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 006A0F59
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 005D0051
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 005D0FB9
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 005D0FEF
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 005D0040
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 005D0F9E
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 005D0FD4
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 005D000A
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 005D0025
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 005C0055
.text C:\Windows\system32\services.exe[704] msvcrt.dll!system 77518B63 5 Bytes JMP 005C0044
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 005C0029
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 005C0FEF
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 005C0FD4
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 005C000C
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00570000
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00570FE5
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00570FD4
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0057001B
.text C:\Windows\system32\services.exe[704] WS2_32.dll!socket 77B936D1 5 Bytes JMP 006B000A
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 008B006C
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 008B0F30
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 008B0ED5
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 008B0EE6
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 008B0F5C
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 008B0FAF
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 008B0F79
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 008B0F94
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 008B0F41
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 008B0036
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 008B001B
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 008B0051
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetProcAddress 7795B8B6 2 Bytes JMP 008B0EB0
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetProcAddress + 3 7795B8B9 2 Bytes [F5, 88]
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 008B0FD4
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 008B0FEF
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 008B0000
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 008B0F0B
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 0015005B
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00150040
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00150FEF
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00150FB9
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00150076
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00150025
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 0015000A
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00150FD4
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00140F9F
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!system 77518B63 5 Bytes JMP 00140FB0
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00140FC1
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00140FEF
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00140016
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00140FD2
.text C:\Windows\system32\lsass.exe[732] WS2_32.dll!socket 77B936D1 5 Bytes JMP 008C0FEF
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00130FEF
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 0013000A
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 0013001B
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00130FCA
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000700BD
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00070098
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 000700E9
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 000700D8
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00070062
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00070036
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00070F88
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00070FC0
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00070073
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00070FAF
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00070047
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00070F6D
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00070104
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 0007000A
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00070F52
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00090F90
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!system 77518B63 5 Bytes JMP 00090FAB
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00090011
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00090000
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00090FC6
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00090FE3
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 000A0065
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 000A0FC3
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 000A0FEF
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 000A0054
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 000A008A
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 000A0014
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 000A0FDE
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 000A0025
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 0020000A
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00200025
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00200FEF
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00200FCA
.text C:\Windows\System32\svchost.exe[812] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00C9000A
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 009E0087
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 009E0F4B
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 009E00B3
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 009E0F1C
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 009E0F66
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 009E0025
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 009E0F81
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 009E0FB9
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 009E0065
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 009E0F9E
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 009E0040
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 009E0076
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 009E00C4
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 009E0FD4
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 009E0FEF
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 009E000A
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 009E0098
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 009C002E
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!system 77518B63 5 Bytes JMP 009C001D
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 009C000C
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 009C0FE3
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 009C0FB7
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 009C0FD2
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 009D005B
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 009D0040
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 009D0FB9
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 009D0F94
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 009D0025
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 009D000A
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 009D0FD4
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 009B0000
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 009B0011
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 009B0FE5
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 009B002C
.text C:\Windows\system32\svchost.exe[908] WS2_32.dll!socket 77B936D1 5 Bytes JMP 009F0FEF
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\igfxpers.exe[968] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\igfxpers.exe[968] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\igfxpers.exe[968] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00D00F32
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00D00F43
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00D0009A
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00D00F03
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00D00F6F
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00D00FAF
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00D00053
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00D00025
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00D00F5E
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00D00036
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00D00F9E
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00D00078
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00D000B5
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00D00FD4
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00D00FEF
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00D0000A
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00D00089
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00CE0FBC
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!system 77518B63 5 Bytes JMP 00CE003D
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00CE0FD7
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00CE0000
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00CE002C
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00CE0011
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00CF0F7C
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00CF0FA8
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00CF0FEF
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00CF0F8D
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00CF0F61
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00CF0FB9
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00CF0FCA
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00CF0014
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00CD0FEF
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00CD000A
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00CD0FDE
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00CD0FC3
.text C:\Windows\system32\svchost.exe[984] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00D50FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00DF0F0B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00DF0F1C
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00DF00A2
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00DF0091
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00DF0040
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00DF0014
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00DF002F
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00DF0F8D
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00DF0F41
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00DF0F72
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00DF0FA8
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00DF0051
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00DF0EFA
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00DF0FD4
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00DF0FC3
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00DF0076
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00D40042
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 77518B63 5 Bytes JMP 00D40FC1
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00D40027
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00D40000
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00D40FD2
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00D40FE3
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00D50FAF
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00D50040
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00D50000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00D50051
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00D50F9E
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00D50025
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00D50FEF
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00D50FCA
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00930000
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 0093001B
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00930036
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0093005B
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 77B936D1 5 Bytes JMP 01000FEF
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00C1009C
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00C1008B
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00C100ED
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00C100D2
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00C10070
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00C10033
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00C10055
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00C10FBD
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00C10F7B
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00C10F98
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00C10044
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00C10F60
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00C10F3B
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00C10011
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00C10000
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00C10022
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00C100B7
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 009F0FB7
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!system 77518B63 5 Bytes JMP 009F0042
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 009F001D
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 009F0000
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 009F0FD2
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 009F0FE3
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00C00065
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00C00043
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00C00FEF
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00C00054
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00C00FA8
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00C00FDE
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00C0000A
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00C00FCD
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00990FE5
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00990FCA
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00990FB9
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0099000A
.text C:\Windows\System32\svchost.exe[1192] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00C20FE5

 

[eighteyedspy]

Pt. 2

.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00DF0F36
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00DF0F47
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00DF00B9
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00DF009E
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00DF0F7D
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00DF0FC0
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00DF0055
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00DF0033
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00DF0F6C
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00DF0044
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00DF0022
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00DF0072
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00DF0F07
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00DF0011
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00DF0000
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00DF0FD1
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00DF008D
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77518A47 3 Bytes JMP 00DD004E
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wsystem + 4 77518A4B 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!system 77518B63 3 Bytes JMP 00DD0FCD
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!system + 4 77518B67 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_creat 7751C6F1 3 Bytes JMP 00DD0022
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_creat + 4 7751C6F5 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wcreat 7751DC9E 3 Bytes JMP 00DD003D
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wcreat + 4 7751DCA2 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00DD0011
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00DE004A
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00DE0FB9
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00DE0FA8
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00DE005B
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00DE0FDE
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00DE000A
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00DE002F
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00D50FEF
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00D5000A
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00D50FD4
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00D50025
.text C:\Windows\system32\svchost.exe[1212] WS2_32.dll!socket 77B936D1 5 Bytes JMP 01000FEF
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\RtHDVCpl.exe[1264] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\RtHDVCpl.exe[1264] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\RtHDVCpl.exe[1264] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 0092007D
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00920062
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 009200B3
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 0092008E
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00920F41
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00920F9E
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00920F5E
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00920036
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 0092001B
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00920F79
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00920047
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 009200C4
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00920FCA
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00920FE5
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00920FB9
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00920F12
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 008C0038
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!system 77518B63 5 Bytes JMP 008C0027
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 008C0FD2
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 008C0000
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 008C0FB7
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 008C0FE3
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00910F97
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00910FC3
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00910FB2
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00910F86
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00910014
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00910FDE
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 0091002F
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00870000
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00870FEF
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00870FDE
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00870FCD
.text C:\Windows\system32\svchost.exe[1312] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00930000
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\hkcmd.exe[1344] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\hkcmd.exe[1344] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\hkcmd.exe[1344] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\hp\support\hpsysdrv.exe[1404] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\hp\support\hpsysdrv.exe[1404] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\hp\support\hpsysdrv.exe[1404] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 01090F52
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 01090F6D
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 010900BD
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 01090F30
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 0109007D
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 01090022
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 01090062
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 01090FA5
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 01090F88
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 01090051
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 01090FB6
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 01090098
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 01090F15
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 01090000
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 01090FEF
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 01090011
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 01090F41
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 01030067
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!system 77518B63 5 Bytes JMP 01030FD2
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 0103001D
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 01030FE3
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 01030038
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 01030000
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 01080F83
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 01080025
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 01080FEF
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 01080F9E
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 01080040
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 0108000A
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 01080FD4
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 01080FB9
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 0102000A
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 01020FEF
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 01020FDE
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0102002F
.text C:\Windows\system32\svchost.exe[1432] WS2_32.dll!socket 77B936D1 5 Bytes JMP 010E0000
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00D20F49
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00D2008F
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00D200AA
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00D20F13
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00D20F6B
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00D20FA8
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00D20F7C
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00D2001E
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00D20F5A
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00D20039
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00D20F97
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00D2006A
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00D200C5
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00D20FD4
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00D20FEF
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00D20FC3
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00D20F38
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00CC0F97
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!system 77518B63 5 Bytes JMP 00CC002C
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00CC0FD7
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00CC0000
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00CC0FBC
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00CC0011
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00D10036
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00D10FAF
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00D10FE5
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00D10F9E
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00D10F83
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00D1000A
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00D10FCA
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00D10025
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00C70000
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00C7001B
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00C70FE5
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00C70036
.text C:\Windows\system32\svchost.exe[1548] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00D30FEF
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 01820F63
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 018200A9
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 018200E9
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 018200CE
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 01820062
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 01820014
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 01820051
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 01820025
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 0182007D
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 01820040
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 01820F9E
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 01820098
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 018200FA
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 01820FDE
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 01820FEF
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 01820FC3
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 01820F52
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 017F0027
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!system 77518B63 5 Bytes JMP 017F000C
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 017F0FB7
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 017F0FE3
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 017F0F9C
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 017F0FD2
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 01800F9E
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 01800FB9
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 01800000
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 01800040
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 0180005B
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 01800FD4
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 01800FE5
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 01800025
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 011E0000
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 011E0FEF
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 011E001B
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 011E0FD4
.text C:\Windows\system32\svchost.exe[1896] WS2_32.dll!socket 77B936D1 5 Bytes JMP 01830FE5
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\Dwm.exe[1972] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\Dwm.exe[1972] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\Dwm.exe[1972] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A

 

[eighteyedspy]

And Pt. 3 Is it supposed to be this long, or did I screw up?

.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\VeXpLite\MONLITE.EXE[2064] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\VeXpLite\MONLITE.EXE[2064] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\VeXpLite\MONLITE.EXE[2064] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\ehome\ehtray.exe[2080] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\ehome\ehtray.exe[2080] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\ehome\ehtray.exe[2080] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00070F4D
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00070F5E
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00070F21
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00070F3C
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 0007007F
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 0007003D
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00070FA5
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00070058
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00070F80
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00070FB6
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00070FD1
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00070F6F
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 000700D3
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 0007001B
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 0007002C
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 000700AE
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00090F9C
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!system 77518B63 5 Bytes JMP 00090FB7
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00090FD2
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00090FEF
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00090027
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 0009000C
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 000A0080
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 000A0FEF
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 000A0000
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 000A0FDE
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 000A0FC3
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 000A0040
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 000A0025
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 000A005B
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 002D0011
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 002D0FE5
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 002D002C
.text C:\Windows\system32\svchost.exe[2224] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00340000
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\igfxsrvc.exe[2952] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3204] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3204] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000700EE
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 000700D3
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00070110
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00070F83
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 000700AE
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 0007004A
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00070091
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00070FDE
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00070FAF
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00070080
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 0007005B
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00070F9E
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00070F68
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 0007000A
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00070025
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 000700FF
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 0009004C
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!system 77518B63 5 Bytes JMP 00090031
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00090FC1
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00090FEF
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00090020
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00090FDE
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 000A0065
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 000A0040
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 000A0FE5
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 000A0FB9
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 000A0076
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 000A001B
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 000A0000
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 000A0FD4
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00210000
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00210FCA
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0021001B
.text C:\Windows\system32\svchost.exe[3632] WS2_32.dll!socket 77B936D1 5 Bytes JMP 003B0000
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000400B4
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00040F6E
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00040F38
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 000400C5
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00040F9A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 0004001E
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00040068
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00040FBC
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 0004008F
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00040FAB
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00040039
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00040F7F
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 000400F4
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00040FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00040FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00040FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00040F53
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 0006007D
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00060047
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00060FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00060062
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00060098
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 0006001B
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00060000
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 0006002C
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!SetWindowsHookExW 760F7B69 5 Bytes JMP 712E97F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!CallNextHookEx 760F8C33 5 Bytes JMP 712DCE79 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamW 760FBD25 5 Bytes JMP 713E418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!CreateWindowExW 76103D67 5 Bytes JMP 712ED67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamW 76111FD5 5 Bytes JMP 71215435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!UnhookWindowsHookEx 761208BE 5 Bytes JMP 7125466C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamA 761380B2 5 Bytes JMP 713E412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamA 761383DD 5 Bytes JMP 713E41F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectA 7614D471 5 Bytes JMP 713E40C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectW 7614D56B 5 Bytes JMP 713E4056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExA 7614D5D1 5 Bytes JMP 713E3FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExW 7614D5F5 5 Bytes JMP 713E3F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00070FAD
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!system 77518B63 5 Bytes JMP 00070038
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 0007001D
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00070000
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00070FC8
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00070FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!OleLoadFromStream 76289726 5 Bytes JMP 713E44F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!CoCreateInstance 762BE188 5 Bytes JMP 712ED6D8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00120000
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00120FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00120011
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00120022
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!closesocket 77B9330C 5 Bytes JMP 678FEEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!recv 77B9343A 5 Bytes JMP 678FF1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!socket 77B936D1 5 Bytes JMP 678FE59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!connect 77B940D9 5 Bytes JMP 678FE62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!getaddrinfo 77B9418A 5 Bytes JMP 678FE71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!send 77B9659B 5 Bytes JMP 678FE9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000400CE
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 000400B3
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00040F52
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 000400E9
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00040F99
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00040FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00040073
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00040FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00040F88
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00040062
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 0004003D
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00040098
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00040F37
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00040011
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00040000
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 0004002C
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00040F6D
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00060F6B
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00060F97
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00060FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00060F86
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00060028
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00060FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00060FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00060FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxIndirectParamW 760FBD25 5 Bytes JMP 713E418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!CreateWindowExW 76103D67 5 Bytes JMP 712ED67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxParamW 76111FD5 5 Bytes JMP 71215435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxParamA 761380B2 5 Bytes JMP 713E412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxIndirectParamA 761383DD 5 Bytes JMP 713E41F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxIndirectA 7614D471 5 Bytes JMP 713E40C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxIndirectW 7614D56B 5 Bytes JMP 713E4056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxExA 7614D5D1 5 Bytes JMP 713E3FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxExW 7614D5F5 5 Bytes JMP 713E3F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00070044
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!system 77518B63 5 Bytes JMP 00070FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00070029
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 0007000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00070FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00070FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 002F0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 002F0014
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 002F0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 002F0FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WS2_32.dll!socket 77B936D1 5 Bytes JMP 002E0FEF
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\hp\kbd\kbd.exe[4676] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\hp\kbd\kbd.exe[4676] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\hp\kbd\kbd.exe[4676] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\00000666 -> \Driver\iaStor \Device\Harddisk0\DR0 844DC50C

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

 

[Blade81]

Hi,

Gmer log is sometimes long. Seems that either DDS got stopped in the middle of the scan or whole log didn't get posted. Please re-run it to see if it produces both dds.txt and attach.txt this time.

 

[eighteyedspy]

Got dds to work! Here are the two logs. Do you prefer I post or attach?


DDS (Ver_09-11-24.02) - NTFSx86
Run by The Coppola's at 20:56:06.38 on Wed 11/25/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.120 [GMT -5:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\VeXpLite\MONLITE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\VeXpLite\viritsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\hp\kbd\kbd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\The Coppola's\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [LDM] c:\program files\desktop messenger\8876480\program\BackWeb-8876480.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FBSMTWB; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.nickjr.com/playtime/shows/dora/games/dora_pyramid.jhtml"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [<NO NAME>]
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [VIRIT LITE MONITOR] c:\vexplite\MONLITE.EXE
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-4 64288]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-25 19456]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-8 55280]

=============== Created Last 30 ================

2009-11-25 08:01:47 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21:40 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21:39 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 21:21:37 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-20 01:14:55 0 d-----w- C:\VeXpLite
2009-11-20 01:14:34 0 dc-h--w- c:\programdata\{0A28EA8B-8711-4F9F-8EE2-8ED92C986459}
2009-11-20 01:07:33 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-11-20 01:07:33 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-11-20 01:07:33 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-20 01:07:31 0 d-----w- c:\program files\Zamaan's Software
2009-11-19 14:55:57 0 d-----w- c:\programdata\Real
2009-11-16 21:21:18 0 d-----w- c:\programdata\IObit
2009-11-16 21:21:09 0 d-----w- c:\program files\IObit
2009-11-16 21:03:23 0 d-----w- c:\program files\Trend Micro
2009-11-11 04:19:24 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19:09 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09:48 0 d-----w- c:\users\thecop~1\appdata\roaming\TweakNow PowerPack 2009
2009-11-05 14:09:48 0 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 01:12:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-05 01:11:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-05 00:45:39 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 10:14:08 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-30 15:28:51 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-30 15:28:09 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-30 15:27:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-30 15:27:45 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-28 02:35:11 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 02:35:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL

==================== Find3M ====================

2009-11-05 01:11:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-15 14:31:26 44288 --s-a-w- c:\windows\system32\drivers\VIRAGTLT.sys
2009-10-09 03:47:16 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 13:55:50 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-07 12:59:40 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-07 12:59:40 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-07 12:59:40 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-06-11 07:10:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-06 19:19:55 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-21 15:35:26 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-03-21 15:35:26 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-03-21 15:35:26 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:59:47.01 ===============

 

[eighteyedspy]

And the Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/10/2007 6:07:20 AM
System Uptime: 11/25/2009 8:34:39 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | LEONITE
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 226 GiB total, 89.554 GiB free.
D: is FIXED (NTFS) - 7 GiB total, 0.904 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB CF Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Manufacturer: Generic
Name: USB CF Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Service: WUDFRd

==== System Restore Points ===================


==== Installed Programs ======================


ActiveCheck component for HP Active Support Library
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Adventure Chronicles: The Search for Lost Treasure
Adventures of Robinson Crusoe
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Barbie(TM) and the Magic of Pegasus(TM)
Big Fish Games Client
Bonjour
Browser Hijack Retaliator 4.5
Canon PhotoRecord
Canon Utilities CP Printer Guide
Canon Utilities PhotoStitch 3.1
Choice Guard
Comcast High-Speed Internet Install Wizard
Coupon Printer for Windows
CP Printer Guide
Enhanced Multimedia Keyboard Solution
ERUNT 1.1j
Escape Rosecliff Island
Fast Browser Search (My Web Tattoo)
Fast Browser Search Protection
Free 3GP Video Converter version 3.1
Free iPod Video Converter 1.34
Free WMA to MP3 Converter 1.16
GameTap Web Player
Google Earth
Google Update Helper
Google Updater
Guild Wars
Hardware Diagnostic Tools
Hidden Mysteries: Buckingham Palace ™
Hidden Secrets: The Nightmare
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Core
HP Easy Setup - Frontend
HP On-Screen Caps/Num/Scroll Lock Indicator
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
HPAsset component for HP Active Support Library
HPSSupply
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel® Viiv™ Software
IObit Security 360
iTunes
Java 2 Runtime Environment, SE v1.4.2_15
Java(TM) 6 Update 15
Java(TM) 6 Update 7
Junk Mail filter update
K-Lite Mega Codec Pack 2.2.5
LeapFrog Connect
LeapFrog Tag Plugin
LightScribe 1.4.136.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech User's Guide
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Flight Simulator X
Microsoft Flight Simulator X Service Pack 1
Microsoft IntelliPoint 6.1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
My HP Games
Netflix Movie Viewer
Nick Chase: A Detective Story ™
PhotoStitch
Python 2.4.3
Quicken 2008
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Redrum ™
Rhapsody
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Shop for HP Supplies
Simulator 6
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.2
TomTom HOME
TurboTax 2008
TurboTax 2008 wgaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Deluxe 2007
TweakNow PowerPack 2009
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb975960)
VC_MergeModuleToMSI
VirIT eXplorer Lite
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VueScan
Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker Beta
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Xfire (remove only)

==== End Of File ===========================

 

[Blade81]

Hi,

Posting the logs is fine.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[eighteyedspy]

Hey,

I have had some trouble running ComboFix. I keep getting the "detected rootkit activity" mesage. ComboFix reboots, gets through category 3 on the scan and then crashes. I've disabled all my security measures(uninstalled), with the same results. I have to go work a 48 shift so I will not be able to reply until Sunday evening. I will try again on Sunday. Thanks for your help and patience.

 

[Blade81]

Hi,

Please see if you can get ComboFix run in safe mode (when asked for a boot make sure system returns to safe mode).

 

[eighteyedspy]

Hey,

I've tried everything I can think of to get ComboFix to run, and it still crashes. I have disabled all processes that might interfere, I've tried using safe mode, I've tried running it with my Internet connection disabled, and I even tried renaming the file when downloading. I'm kind of at a loss, any suggestions? Sorry, and thanks again.

 

[Blade81]

Hi,

A question first: Do you have Vista installation media handy if needed?

Please try this:

1. Go to the c:\windows\system32\drivers folder

2. Locate the file - iastor.sys

3. Drag and move the file to Desktop

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder

5a. If a fresh copy is regenerated, reboot the machine

5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder.


If 5a was carried out, run GMER and post back the report. Are browsers redirecting?

If 5b was carried out, let me know.

 

[eighteyedspy]

Hi!

I cannot move iastor.sys, it's being used by another program, which I have been unable to identify. I do not have any installable Vista media. I do see an iastorV.sys, should I try that one. Browser is still redirecting, and new tabs for news services keep popping up now. Should I run GMER again?

 

[Blade81]

Hi,

Please download a fresh copy of ComboFix and try to run it.

 

[eighteyedspy]

Hey,

Downloaded and ran ComboFix again. It self updated and completed a full scan. As soon as it said that it was going to produce the log, it crashed. Now when I run it, it won't make it past category 23 before crashing. I've tried downloading and changing the name and running it in safe mode. No success yet. Sometimes it reboots due to rootkit activity, other times it scans properly, but always ends in a crash.

 

[Blade81]

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  iastor.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[eighteyedspy]

Woohoo! Came in late last night and ran ComboFix like 3 or 4 more times, and it finally worked. I am posting the logs that you originally requested. If you still want systemlog.txt let me know. Thanks for the patience!

combofix.txt

ComboFix 09-12-01.01 - The Coppola's 12/02/2009 1:09.28.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.430 [GMT -5:00]
Running from: c:\users\The Coppola's\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 06:30 . 2009-12-02 06:34 -------- d-----w- c:\users\The Coppola's\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-02 05:58 . 2009-12-02 05:59 49152 d-----w- C:\32788R22FWJFW
2009-12-02 05:42 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-02 05:42 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-02 05:42 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-02 05:42 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-02 05:42 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-02 05:42 . 2009-12-02 05:42 32768 d-----w- c:\program files\Spyware Doctor
2009-12-02 05:42 . 2009-12-02 05:42 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-02 05:42 . 2009-12-02 05:42 -------- d-----w- c:\users\The Coppola's\AppData\Roaming\PC Tools
2009-12-02 05:42 . 2009-12-02 05:42 -------- d-----w- c:\programdata\PC Tools
2009-11-29 13:58 . 2009-11-29 13:58 -------- d-----w- c:\users\The Coppola's\AppData\Local\Apps
2009-11-27 07:15 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 08:01 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-20 01:50 . 2009-11-20 01:56 4096 d-----w- c:\program files\ERUNT
2009-11-20 01:14 . 2009-11-20 01:14 -------- d-----w- c:\users\The Coppola's\AppData\Local\PackageAware
2009-11-20 01:07 . 2001-10-04 05:14 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-19 14:55 . 2009-11-19 14:55 439816 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\setup.exe
2009-11-19 14:55 . 2009-11-19 14:55 118784 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\install.dll
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\programdata\IObit
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\program files\IObit
2009-11-16 21:03 . 2009-11-16 21:03 -------- d-----w- c:\program files\Trend Micro
2009-11-11 04:19 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09 . 2009-11-05 14:12 4096 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 14:09 . 2009-11-05 14:09 -------- d-----w- c:\users\The Coppola's\AppData\Roaming\TweakNow PowerPack 2009
2009-11-05 01:11 . 2009-11-05 01:11 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 16:52 . 2008-11-26 04:33 4096 d-----w- c:\programdata\Google Updater
2009-11-27 02:31 . 2007-10-17 21:01 4096 d-----w- c:\programdata\McAfee
2009-11-27 02:27 . 2007-03-09 11:38 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-27 02:26 . 2007-03-09 12:04 16384 d-----w- c:\program files\Common Files\Symantec Shared
2009-11-27 02:26 . 2007-03-09 12:04 4096 d-----w- c:\programdata\Symantec
2009-11-27 02:21 . 2007-06-08 00:09 12288 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 02:20 . 2007-06-08 00:09 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-27 02:14 . 2007-06-08 00:16 4096 d-----w- c:\programdata\Lavasoft
2009-11-11 08:20 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 08:04 . 2009-04-08 21:59 12288 d-----w- c:\programdata\Microsoft Help
2009-10-20 21:46 . 2009-10-09 03:47 7 ----a-w- c:\windows\sbacknt.bin
2009-10-20 18:07 . 2009-10-20 15:31 -------- d-----w- c:\program files\adnqbh
2009-10-16 07:07 . 2007-03-09 11:57 24576 d-----w- c:\program files\Microsoft Works
2009-10-09 03:47 . 2009-10-09 03:47 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-14 09:44 . 2009-10-16 03:05 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-16 03:06 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:21 . 2009-10-28 02:35 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:21 . 2009-10-28 02:35 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-04 12:24 . 2009-10-16 03:05 61440 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-19 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-19 133656]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [12/2/2009 12:42 AM 207792]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 1:32 PM 208896]
S2 gupdate1c9e122120b6107;Google Update Service (gupdate1c9e122120b6107);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 7:27 AM 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 12:13 PM 29696]
S3 FlyUsb;FLY Fusion;c:\windows\System32\drivers\FlyUsb.sys [11/25/2008 12:39 PM 19456]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [4/8/2009 7:50 PM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 22:35]

2009-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]

2009-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]

2009-12-01 c:\windows\Tasks\User_Feed_Synchronization-{9F21EFA2-5087-4B5C-8230-A912354043C1}.job
- c:\windows\system32\msfeedssync.exe [2009-10-16 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 01:33
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\SEPDC7B.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x844DB50C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x861a9322
\Driver\ACPI -> acpi.sys @ 0x806c5d4c
\Driver\atapi -> ataport.SYS @ 0x828d39a8
\Driver\iaStor -> iastor.sys @ 0x8283ad94
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1148)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\RacAgent.exe
c:\windows\system32\lpremove.exe
.
**************************************************************************
.
Completion time: 2009-12-02 01:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-02 06:47

Pre-Run: 97,534,304,256 bytes free
Post-Run: 97,505,439,744 bytes free

- - End Of File - - 845474AB6C90A43A212764E192FCFB48

 

[eighteyedspy]

and of course the most current DDS log.


DDS (Ver_09-11-24.02) - NTFSx86
Run by The Coppola's at 1:50:28.65 on Wed 12/02/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.270 [GMT -5:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\notepad.exe
C:\Users\The Coppola's\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FBSMTWB; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.nickjr.com/playtime/shows/dora/games/dora_pyramid.jhtml"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-2 207792]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 gupdate1c9e122120b6107;Google Update Service (gupdate1c9e122120b6107);c:\program files\google\update\GoogleUpdate.exe [2009-5-30 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2009-5-7 1089536]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-25 19456]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-8 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

=============== Created Last 30 ================

2009-12-02 05:42:56 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-02 05:42:56 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-02 05:42:56 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-02 05:42:52 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-02 05:42:52 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-02 05:42:52 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-02 05:42:52 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-02 05:42:44 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-02 05:42:44 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-02 05:42:36 0 d-----w- c:\users\thecop~1\appdata\roaming\PC Tools
2009-12-02 05:42:36 0 d-----w- c:\programdata\PC Tools
2009-12-02 05:42:36 0 d-----w- c:\program files\Spyware Doctor
2009-12-02 05:42:36 0 d-----w- c:\program files\common files\PC Tools
2009-11-27 07:15:37 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-26 16:32:38 98816 ----a-w- c:\windows\sed.exe
2009-11-26 16:32:38 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 16:32:38 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 16:32:38 161792 ----a-w- c:\windows\SWREG.exe
2009-11-25 08:01:47 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21:40 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21:39 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 21:21:37 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-20 01:07:33 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-11-20 01:07:33 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-11-20 01:07:33 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-19 14:55:57 0 d-----w- c:\programdata\Real
2009-11-16 21:21:18 0 d-----w- c:\programdata\IObit
2009-11-16 21:21:09 0 d-----w- c:\program files\IObit
2009-11-16 21:03:23 0 d-----w- c:\program files\Trend Micro
2009-11-11 04:19:24 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19:09 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09:48 0 d-----w- c:\users\thecop~1\appdata\roaming\TweakNow PowerPack 2009
2009-11-05 14:09:48 0 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 01:11:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 10:14:08 1638912 ----a-w- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-10-09 03:47:16 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:21:53 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:21:07 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-07 12:59:40 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-07 12:59:40 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-07 12:59:40 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-06-11 07:10:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-06 19:19:55 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 1:52:00.47 ===============