Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

"System Fix" virus hijacked computer

This is a discussion on "System Fix" virus hijacked computer within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, I’ve got a computer infected with the “System Fix” Virus. I believe the OS is Windows XP Professional. Searching


 
 
Thread Tools Search this Thread
Old 11-28-2011, 10:45 PM   #1
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



Hello,

I’ve got a computer infected with the “System Fix” Virus. I believe the OS is Windows XP Professional. Searching the Tech Support Forum lead me to this thread:

https://www.techsupportforum.com/foru...le-614906.html

Since that thread is getting quite long, I figured I’d start a new one. Everything happened as “pleasehelppleez” described. All programs shut down, and a phony repair program pops up and takes complete control. Luckily, we have a second computer on the network that works.

I first tried booting into safe mode with networking, which gave me a blank desktop, and no programs to run except for McAfee Security Center (this computer IS protected and regularly updated). I ran a scan, which showed several problems and fixed them (I forgot to save a log). After much internet research, I found several sites suggesting fixes, notably:

hXXp://www.geeksailor.com/how-to-remove-uninstall-system-fix-virus-removal-guide/
and
hXXp://www.foxcrawl.com/2011/11/16/how-to-remove-system-fix-malware-clean-up-guide/

In safe mode, I was able to access utility files from my working computer through the network. I installed and ran Malwarebytes, which again, detected several problems and I fixed them (forgot to save a log). I rebooted into normal XP, but once the Windows desktop appeared, the “System Fix” started up again.

Following the advice I’d seen, I ran “Rkill.com”. After several tries, Rkill eventually closed down System Fix. I ran MBAM again, and it returned with several problems, which I fixed. This time I did save a log (available upon request).

I tried running Kaspersky’s “TDSSKiller” rootkit scanner, but the program would not start, even after renaming the file. I ran “Unhide” in order to access the files and make a few backups just in case, but I noticed in the Task Manager that the CPU was running at 100%, and the HD kept constantly grinding away. I also noticed that System Fix created a start menu folder complete with an uninstall option (like I’m going to try that). I shut down the computer to let it rest.

A few hours later, I rebooted and System Fix started up just like before. I ran Rkill again to make it stop, and this time I ran the “GMER.exe” rootkit scanner as suggested in the TSF thread. I saved the log (ark.txt), but there’s not much there. I then ran DDS.scr as advised in the forum instructions, but I got a BSOD due to iastor.sys and the process didn’t finish.

Now, I’m having trouble accessing the other computer on the network to run files. I have access to the DVD drive, so I’m going to have to burn files to a CD in order to run anything. All files on the c: drive and even my external backup drive have been hidden by the virus. I’ll have to take things up again in the morning. Please advise on any other programs I might need. Is it possible to do everything in safe mode? In safe mode, the System Fix does not start, making things much easier.

From here, I would like to be advised by someone more knowledgeable on how to proceed. The other thread suggests ComboFix, but I noticed that the guide to ComboFix says not to use it unless instructed by a helper. I would really like to be guided through the process.

Thanks.
SilentJim is offline  
Sponsored Links
Advertisement
 
Old 11-29-2011, 07:36 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please try running dds again in Safe Mode and post/attach the logs in your next reply.

Please also attach the gmer log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 08:34 AM   #3
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



I tried running DDS in safe mode, but about 75% of the way through, I got a BSOD pointing to iastor.sys so it never finished. Same thing happened last time.


Here's the GMER log:

GMER 1.0.15.15641 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-11-28 22:13:37
Windows 5.1.2600 Service Pack 2
Running: mile6m6l.exe; Driver: C:\DOCUME~1\JAMESS~1\LOCALS~1\Temp\pxtdapow.sys


---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\[email protected] 465855

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7dbb1c152901190.bup 3072 bytes

---- EOF - GMER 1.0.15 ----
SilentJim is offline  
Sponsored Links
Advertisement
 
Old 11-29-2011, 09:04 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



See if RSIT will run in Safe Mode with Networking:
  • Download RSIT by random/random and Save it to your Desktop.
  • Double-click RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
  • Please copy/paste the contents of log.txt and info.txt in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 09:28 AM   #5
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



RSIT worked.

Contents of log.txt:

Logfile of random's system information tool 1.09 (written by random/random)
Run by James Stadler at 2011-11-29 10:19:47
Microsoft Windows XP Professional Service Pack 2
System drive C: has 123 GB (82%) free of 150 GB
Total RAM: 1022 MB (29% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:20:35 AM, on 11/29/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\James Stadler\Local Settings\Temporary Internet Files\Content.IE5\OC94ZTDO\RSIT[1].exe
C:\Program Files\trend micro\James Stadler.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110515001805.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Memeo Instant Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui
O4 - HKLM\..\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [yEfRqQhDUGAmlI.exe] C:\Documents and Settings\All Users\Application Data\yEfRqQhDUGAmlI.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iqodoyiziyemamer] rundll32.exe "C:\WINDOWS\dapfogX.dll",Startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1c9d33f2ad42e5e) (gupdate1c9d33f2ad42e5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Dashboard Service (SeagateDashboardService) - Memeo - C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 10546 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]
McAfee Phishing Filter - c:\progra~1\mcafee\msk\mskapbho.dll [2011-03-11 238056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110515001805.dll [2011-04-14 75848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2011-11-14 342192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll [2011-11-14 1003576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2011-08-11 258120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-03 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-05-03 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2011-08-11 258120]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2011-11-14 342192]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"=C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe [2004-06-29 135168]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-25 339968]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-10-12 57344]
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe [2000-03-08 36864]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-04-20 98304]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-14 644696]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2007-03-09 63712]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-15 153136]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"Memeo Instant Backup"=C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe [2010-07-08 136416]
"Seagate Dashboard"=C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe [2010-07-06 79112]
"mcui_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2011-06-28 1195408]
"yEfRqQhDUGAmlI.exe"=C:\Documents and Settings\All Users\Application Data\yEfRqQhDUGAmlI.exe [2011-11-28 444672]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-30 68856]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Iqodoyiziyemamer"=C:\WINDOWS\dapfogX.dll,Startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-07 149040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2005-04-20 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2005-04-20 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\McMPFSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfefire]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfefirek]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfefirek.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfehidk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfehidk.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfevtp]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDesktop"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Games\Battlefield 1942\BF1942.exe"="C:\Games\Battlefield 1942\BF1942.exe:*:Enabled:BF1942"
"C:\Documents and Settings\James Stadler\My Documents\TurboTax\TurboTax Deluxe 2006\32bit\ttax.exe"="C:\Documents and Settings\James Stadler\My Documents\TurboTax\TurboTax Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Documents and Settings\James Stadler\My Documents\TurboTax\TurboTax Deluxe 2006\32bit\updatemgr.exe"="C:\Documents and Settings\James Stadler\My Documents\TurboTax\TurboTax Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe"="C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host"
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"wave2"=serwvdrv.dll

======List of files/folders created in the last 1 month======

2011-11-29 10:19:52 ----D---- C:\Program Files\trend micro
2011-11-29 10:19:47 ----D---- C:\rsit
2011-11-29 09:16:28 ----A---- C:\WINDOWS\system32\d3d9caps.dat
2011-11-28 22:45:17 ----D---- C:\WINDOWS\Minidump
2011-11-28 2133 ----AH---- C:\Documents and Settings\All Users\Application Data\I3DZpvTXX01Nos.exe
2011-11-28 13:34:28 ----HD---- C:\Program Files\GridinSoft Trojan Killer
2011-11-28 11:02:14 ----AH---- C:\Documents and Settings\All Users\Application Data\yEfRqQhDUGAmlI.exe

======List of files/folders modified in the last 1 month======

2011-11-29 10:20:00 ----HD---- C:\WINDOWS\Temp
2011-11-29 10:19:52 ----RHD---- C:\Program Files
2011-11-29 10:17:58 ----HD---- C:\WINDOWS\SYSTEM32
2011-11-29 10:12:09 ----AH---- C:\WINDOWS\ntbtlog.txt
2011-11-29 10:11:49 ----SHD---- C:\WINDOWS\CSC
2011-11-29 10:11:45 ----HD---- C:\WINDOWS
2011-11-28 23:02:35 ----AH---- C:\WINDOWS\SchedLgU.Txt
2011-11-28 23:02:31 ----HD---- C:\WINDOWS\system32\CatRoot2
2011-11-28 22:46:36 ----HD---- C:\WINDOWS\Prefetch
2011-11-28 21:05:45 ----AH---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2011-11-28 21:04:39 ----HDC---- C:\WINDOWS\$NtUninstallKB890859$
2011-11-28 21:04:39 ----HD---- C:\WINDOWS\system32\DRIVERS
2011-11-28 14:44:30 ----HD---- C:\Program Files\Malwarebytes' Anti-Malware
2011-11-28 14:44:08 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2011-11-28 11:08:57 ----HD---- C:\WINDOWS\INF
2011-11-24 08:40:16 ----HD---- C:\Program Files\Google
2011-11-22 1332 ----HD---- C:\WINDOWS\system32\FxsTmp
2011-11-17 18:24:07 ----SHD---- C:\WINDOWS\Installer
2011-11-17 18:24:07 ----HD---- C:\Config.Msi
2011-11-14 13:58:51 ----HD---- C:\DesignCAD 3000
2011-11-14 13:58:50 ----HD---- C:\WINDOWS\Help
2011-11-11 03:00:25 ----AH---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-03 42368]
R0 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
R0 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-03 42752]
R0 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-03 43008]
R0 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
R0 iaStor;Intel AHCI Controller; C:\WINDOWS\system32\drivers\iaStor.sys [2004-06-29 477952]
R0 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2011-04-14 387480]
R0 ppa;Iomega Parallel Port Filter Driver; C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 17792]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2004-08-02 20576]
R0 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-03 41088]
R0 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 42240]
R1 mfetdi2k;McAfee Inc. mfetdi2k; C:\WINDOWS\system32\drivers\mfetdi2k.sys [2011-04-14 84200]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2002-11-08 17217]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-05-29 186112]
R3 mfefirek;McAfee Inc. mfefirek; C:\WINDOWS\system32\drivers\mfefirek.sys [2011-04-14 314088]
R3 mfendiskmp;mfendiskmp; C:\WINDOWS\system32\DRIVERS\mfendisk.sys [2011-04-14 88736]
R3 RT73;Linksys Home Wireless-G USB Adapter Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2005-11-24 245248]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2003-03-25 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2003-03-25 40256]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-01-05 20747]
S2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2005-04-20 8552]
S2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 cfwids;McAfee Inc. cfwids; C:\WINDOWS\system32\drivers\cfwids.sys [2011-04-14 56064]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 mfeapfk;McAfee Inc. mfeapfk; C:\WINDOWS\system32\drivers\mfeapfk.sys [2011-04-14 95824]
S3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2011-04-14 153280]
S3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2011-04-14 52320]
S3 mfendisk;McAfee Core NDIS Intermediate Filter; C:\WINDOWS\system32\DRIVERS\mfendisk.sys [2011-04-14 88736]
S3 mferkdet;McAfee Inc. mferkdet; C:\WINDOWS\system32\drivers\mferkdet.sys [2011-04-14 84488]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2003-03-25 21216]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2003-03-25 5728]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 McMPFSvc;McAfee Personal Firewall Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R2 mcmscsvc;McAfee Services; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R2 mfefire;McAfee Firewall Core Service; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136]
R2 mfevtp;McAfee Validation Trust Protection Service; C:\WINDOWS\system32\mfevtps.exe [2011-04-14 141792]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 gupdate1c9d33f2ad42e5e;Google Update Service (gupdate1c9d33f2ad42e5e); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-05-12 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-19 194104]
S2 IAANTMon;IAA Event Monitor; C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe [2004-06-29 73852]
S2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2010-08-23 13672]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
S2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2000-03-08 278016]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2011-08-10 94880]
S2 McNaiAnn;McAfee VirusScan Announcer; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNASvc;McAfee Network Agent; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McProxy;McAfee Proxy Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McShield;McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [2011-04-14 171168]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S2 MemeoBackgroundService;MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [2010-07-08 25824]
S2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 MSSQL$MICROSOFTBCM;MSSQL$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [2003-05-31 7544916]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S2 SeagateDashboardService;Seagate Dashboard Service; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2010-07-06 14088]
S2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
S2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
S2 WUSB54GCSVC;WUSB54GCSVC; C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe [2005-07-04 53307]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gupdatem;Google Update Service (gupdatem); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-05-12 133104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 McODS;McAfee Scanner; C:\Program Files\McAfee\VirusScan\mcods.exe [2010-10-07 364216]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-05-07 779824]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-07 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------






contents of info.txt:

info.txt logfile of random's system information tool 1.09 2011-11-29 10:20:41

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe -maintain activex
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2-->MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AnswerWorks 4.0 Runtime - English-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AnswerWorks 5.0 English Runtime-->MsiExec.exe /I{9E5A03E3-6246-4920-9630-0527D5DA9B07}
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Banctec Service Agreement-->MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
Broadcom Advanced Control Suite 2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2E086814-7392-4E0F-ADB8-54A81E47406C} /l1033
Business Contact Manager for Outlook 2003-->MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB}
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MP470 series User Registration-->C:\Program Files\Canon\IJEREG\MP470 series\UNINST.EXE
Canon MP470 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP470_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP470_series /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Convert-->MsiExec.exe /X{23970E31-948B-466E-8376-1224D32FDF0C}
Delftship free edition version 3.2-->"C:\Documents and Settings\James Stadler\My Documents\Models\Delftship\Delftship\unins000.exe"
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience-->MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Picture Studio v3.0-->MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
DesignCAD 3000-->C:\WINDOWS\IsUninst.exe -f"C:\DesignCAD 3000\Uninst.isu" C:\DesignCAD 3000\dcuninst.dll
Google Chrome-->"C:\Program Files\Google\Chrome\Application\15.0.874.121\Installer\setup.exe" --uninstall --multi-install --chrome --system-level --verbose-logging
Google Earth-->MsiExec.exe /X{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_DC5D2AFB0F84E8D8.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB896344)-->"C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
HP Photosmart, Officejet and Deskjet 7.0.A-->C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
Intel Application Accelerator-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iSEEK AnswerWorks English Runtime-->MsiExec.exe /I{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}
Jasc Paint Shop Photo Album 5-->MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon-->MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LAME v3.98.2 for Audacity-->"C:\Program Files\Lame for Audacity\unins000.exe"
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
Malwarebytes' Anti-Malware version 1.51.2.1300-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuihost.exe /body:misp://MSCJsRes.dll::uninstall.html /id:uninstall
Memeo Instant Backup-->C:\Program Files\Memeo\AutoBackup\uninstall.exe
Microsoft .NET Framework 1.1 Security Update (KB979906)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB973686)-->MsiExec.exe /I{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}
My Way Search Assistant-->rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZeroInstallers-->MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
OCR Software by I.R.I.S 7.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
Photo Click-->MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
PowerDVD 5.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Privateers Bounty - Age of Sail II-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Global Star\Privateers Bounty - Age of Sail II\Uninst.isu"
Quicken 2011-->MsiExec.exe /X{5FE545A1-D215-4216-9189-E7B39C9D1CC1}
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB978207)-->"C:\WINDOWS\ie7updates\KB978207-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165-v2)-->"C:\WINDOWS\$NtUninstallKB977165-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Trojan Killer 2.1-->"C:\Program Files\GridinSoft Trojan Killer\unins000.exe"
TurboTax 2008 WinPerFedFormset-->MsiExec.exe /I{7570F1CA-016D-46AC-B586-CD74645EFB52}
TurboTax 2008 WinPerReleaseEngine-->MsiExec.exe /I{88214092-836F-4E22-A5AC-569AC9EE6A0F}
TurboTax 2008 WinPerTaxSupport-->MsiExec.exe /I{B23726CF-68BF-41A6-A4EB-72F12F87FE05}
TurboTax 2008 WinPerUserEducation-->MsiExec.exe /I{29521505-F489-4822-ADFA-32C6DEE4F114}
TurboTax 2008 wrapper-->MsiExec.exe /I{B1DB1AD8-C07E-4052-81A1-D2930232BA70}
TurboTax 2008-->C:\Program Files\TurboTax\Deluxe 2008\Installer\TurboTax 2008 Installer.exe /u /t /a
TurboTax 2009 waziper-->MsiExec.exe /I{35D5A740-EAA2-012B-AD08-000000000000}
TurboTax 2009 WinPerFedFormset-->MsiExec.exe /I{3881DB80-EAA2-012B-ADAE-000000000000}
TurboTax 2009 WinPerReleaseEngine-->MsiExec.exe /I{38975F50-EAA2-012B-ADB4-000000000000}
TurboTax 2009 WinPerTaxSupport-->MsiExec.exe /I{38A34630-EAA2-012B-ADB6-000000000000}
TurboTax 2009 wrapper-->MsiExec.exe /I{3C5A81D0-EAA2-012B-AE9F-000000000000}
TurboTax 2009-->C:\Program Files\TurboTax\Deluxe 2009\Installer\TurboTax 2009 Installer.exe /u /t /a
TurboTax 2010 WinPerFedFormset-->MsiExec.exe /I{3782EC09-4000-475E-8A59-9CABD6F03B4C}
TurboTax 2010 WinPerReleaseEngine-->MsiExec.exe /I{A525E00B-6609-442E-9DCD-64453C233E8D}
TurboTax 2010 WinPerTaxSupport-->MsiExec.exe /I{05BDC796-3451-4F81-B91D-E98F7ADA76C2}
TurboTax 2010 wrapper-->MsiExec.exe /I{4F2FCCCF-29F3-44B9-886F-6D16F8417522}
TurboTax 2010-->C:\Program Files\TurboTax\Deluxe 2010\Installer\TurboTax 2010 Installer.exe /u /t /a
TurboTax Deluxe 2007-->C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB978506)-->"C:\WINDOWS\ie8updates\KB978506-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925720)-->"C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Update for Windows XP (KB925876)-->"C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"

======Security center information======

AV: McAfee Anti-Virus and Anti-Spyware (disabled)
FW: McAfee Firewall

======System event log======

Computer Name: DAD
Event Code: 10005
Message: DCOM got error "%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Record Number: 308621
Source Name: DCOM
Time Written: 20111120065825.000000-420
Event Type: error
User: DAD\James Stadler

Computer Name: DAD
Event Code: 10005
Message: DCOM got error "%1055" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Record Number: 308620
Source Name: DCOM
Time Written: 20111120065823.000000-420
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: DAD
Event Code: 10005
Message: DCOM got error "%1055" attempting to start the service McAfee SiteAdvisor Service with arguments ""
in order to run the server:
{5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Record Number: 308619
Source Name: DCOM
Time Written: 20111120065823.000000-420
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: DAD
Event Code: 4
Message: Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 308617
Source Name: b57w2k
Time Written: 20111120065713.000000-420
Event Type: warning
User:

Computer Name: DAD
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 308359
Source Name: W32Time
Time Written: 20111118214052.000000-420
Event Type: warning
User:

=====Application event log=====

Computer Name: DAD
Event Code: 19011
Message:
Record Number: 39978
Source Name: MSSQL$MICROSOFTBCM
Time Written: 20111110065946.000000-420
Event Type: warning
User:

Computer Name: DAD
Event Code: 19011
Message:
Record Number: 39865
Source Name: MSSQL$MICROSOFTBCM
Time Written: 20111109071941.000000-420
Event Type: warning
User:

Computer Name: DAD
Event Code: 19011
Message:
Record Number: 39580
Source Name: MSSQL$MICROSOFTBCM
Time Written: 20111107065511.000000-420
Event Type: warning
User:

Computer Name: DAD
Event Code: 19011
Message:
Record Number: 39133
Source Name: MSSQL$MICROSOFTBCM
Time Written: 20111104065550.000000-420
Event Type: warning
User:

Computer Name: DAD
Event Code: 19011
Message:
Record Number: 38694
Source Name: MSSQL$MICROSOFTBCM
Time Written: 20111101073824.000000-420
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\;C:\Program Files\Common Files\Sonic Shared;
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------
SilentJim is offline  
Old 11-29-2011, 11:07 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello SilentJim.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Double-click ComboFix.exe and follow the prompts to run it.

Please allow it to download and install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 12:17 PM   #7
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



Ok, I ran ComboFix from the desktop (still in safe mode). It update itself, and installed the Windows Recovery Console. My anti virus was already disabled. I'm pretty sure it's McAfee Total Protection, because that's the only one whose options made sense. So, I clicked "yes" to start scanning.

About 7 minutes in, I get the Blue Screen Of Death again pointing to iastor.sys. The whole code is as follows, if it means anything.

Stop: 0x000000D1 (0x00000010, 0x00000002, 0x00000000, 0xF75411A0
iastor.sys - Address: 575411A0 Base: DF7532000 Date Stamp: 40e1b22a

I assume the c:\combofix.txt was not created.
SilentJim is offline  
Old 11-29-2011, 12:35 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, SilentJim.

When you run this tool, remember to choose 'Skip' not 'Cure' if it finds something. We just want a scan, not a fix.

Download TDSSKiller.exe and Save it to your Desktop.

Double-click TDSSKiller.exe and click 'Run'

Click 'Change parameters' then under 'Additional options' tick both boxes > OK.

Click 'Start scan'.

If no infection is found, click 'Close' and let me know.

If an infection is found, select 'Skip' from the dropdown menu under 'Cure' then click 'Continue' > 'Close' > 'Close'.

It will produce a log here > C:\TDSSKiller.2.6.21.0_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 01:05 PM   #9
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



TDSSKiller will not run, even when renamed to a .com file as they suggest. I double click, or right click and select "open", the hourglass flashes, and nothing happens. I'm still in safe mode.
SilentJim is offline  
Old 11-29-2011, 01:25 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, SilentJim. Please post the last MBAM log.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad(don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Normandy.sys]
@="Driver"
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------
  • Please download Rootkit Unhooker and save it to your desktop.
  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close then Yes
  • Copy the entire contents of the report and paste it in your next reply.
Note: If you get a message 'Rootkit Unhooker has detected parasite inside itself!
It is recommended to remove parasite, okay?', click Okay

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 02:12 PM   #11
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



First, the last MBAM log:


Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8261

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/28/2011 5:46:03 PM
mbam-log-2011-11-28 (17-46-03).txt

Scan type: Full scan (C:\|)
Objects scanned: 273408
Time elapsed: 2 hour(s), 23 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\wa015bwqzr1ofb.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP583\A0065958.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP583\A0065959.DLL (Backdoor.Bredavi) -> Quarantined and deleted successfully.
SilentJim is offline  
Old 11-29-2011, 02:57 PM   #12
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



Fix.reg: Done.

Here are the results of the Rootkit Unhooker scan. I was forced to reboot into normal mode. It does not work in safe mode. At a point just after selecting to scan the C:\ drive, an error popped up saying "Error Starting Helper Service". I did nothing other than run the scan and produce the report. No fixes.

Since the System Fix virus started up again in normal mode, I rebooted into safe mode.



RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2252800 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2252800 bytes
0x804D7000 RAW 2252800 bytes
0x804D7000 WMIxWDM 2252800 bytes
0xBF084000 C:\WINDOWS\System32\ati3duag.dll 2240512 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF5C0D000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF5DC8000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 897024 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF5A4F000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF5B66000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF73A2000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF2A7000 C:\WINDOWS\System32\ativvaxx.dll 479232 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xAF33D000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 479232 bytes
0xF7532000 iaStor.sys 479232 bytes (Intel Corporation, Intel Application Accelerator driver)
0xB795D000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7446000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xF540B000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xB7A75000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAD0A5000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF5990000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAC116000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF5B26000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xB7921000 C:\WINDOWS\system32\DRIVERS\rt73.sys 245760 bytes (Ralink Technology, Corp., Ralink 802.11 USB Wireless Adapter Driver)
0xBF04A000 C:\WINDOWS\System32\ati2cqag.dll 237568 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 229376 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF5D2F000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF5464000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7615000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF5D86000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 188416 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xF7375000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF74D5000 dac2w2k.sys 180224 bytes (Mylex Corporation, Mylex Disk Array Controller Driver)
0xADB40000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xABAEC000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB79CC000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB7A19000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF75BF000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF59DB000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xF5B02000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xABAC9000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF5D0C000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF5D63000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB79F7000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB7A41000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806FD000 ACPI_HAL 134400 bytes
0x806FD000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74B5000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF75E5000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF735A000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7501000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport)
0xF751A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF75A7000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF742F000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5A10000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xADB03000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF5A27000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xF5A3B000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF5DB4000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB7ACD000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7A62000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF74A3000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7604000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF59FF000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xAF87B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7302000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF64C4000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF72D2000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAF5BE000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xEB77C000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF76D4000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport)
0xF76A4000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport)
0xF72E2000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7734000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF78D4000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF72C2000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7694000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xAC657000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xB875C000 C:\WINDOWS\system32\drivers\mfebopk.sys 49152 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF7714000 ql12160.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF7704000 ql1280.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF72A2000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7764000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7794000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter)
0xF7774000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter)
0xF7784000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xF72F2000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7684000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF72B2000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7744000 sisagp.sys 45056 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xF7754000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xF7874000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76F4000 ql1080.sys 40960 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF76C4000 ql1240.sys 40960 bytes (Microsoft Corporation, QLogic ISP PCI Adapters)
0xECFC4000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF7834000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7844000 C:\WINDOWS\system32\drivers\WmXlCore.sys 40960 bytes (Logitech Inc., Logitech WingMan Translation Driver)
0xF7664000 BlackBox.sys 36864 bytes (RKU Driver)
0xF7724000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB878C000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF64D4000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7674000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7292000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB879C000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF76B4000 ql10wnt.sys 36864 bytes (Microsoft Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF76E4000 ultra.sys 36864 bytes (Promise Technology, Inc., Promise Ultra66 Miniport Driver)
0xB87AC000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7994000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB91D6000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7914000 symc8xx.sys 32768 bytes (LSI Logic, Symbios 8XX SCSI Miniport Driver)
0xF7924000 sym_u3.sys 32768 bytes (LSI Logic, Symbios Ultra3 SCSI Miniport Driver)
0xF78FC000 asc.sys 28672 bytes (Advanced System Products, Inc., AdvanSys SCSI Controller Driver)
0xB91EE000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF794C000 hpn.sys 28672 bytes (Microsoft Corporation, NetRAID-4M Miniport Driver)
0xF78E4000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7944000 perc2.sys 28672 bytes (Microsoft Corporation, PERC 2 Miniport Driver)
0xF791C000 sym_hi.sys 28672 bytes (LSI Logic, Symbios Hi-Perf SCSI Miniport Driver)
0xF798C000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB91C6000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF792C000 ABP480N5.SYS 24576 bytes (Microsoft Corporation, AdvanSys SCSI Controller Driver)
0xF7934000 asc3350p.sys 24576 bytes (Microsoft Corporation, AdvanSys SCSI Card Driver)
0xF799C000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79A4000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB91E6000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xAF9E3000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF793C000 dpti2o.sys 20480 bytes (Microsoft Corporation, DPT SmartRAID miniport)
0xF790C000 i2omp.sys 20480 bytes (Microsoft Corporation, I2O Miniport Driver)
0xF7904000 mraid35x.sys 20480 bytes (American Megatrends Inc., MegaRAID RAID Controller Driver for Windows Whistler 32)
0xB91DE000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF5F0B000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Computer Corporation, OMCI Device Driver)
0xF78EC000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF795C000 ppa.sys 20480 bytes (Microsoft Corporation, PPA Protocol Driver)
0xF79F4000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7954000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF5F13000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF78F4000 sparrow.sys 20480 bytes (Adaptec, Inc., Adaptec AIC-6x60 series SCSI miniport)
0xF79AC000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7984000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xAF9FB000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7A7C000 aha154x.sys 16384 bytes (Microsoft Corporation, Adaptec AHA-154x series SCSI miniport)
0xF7A8C000 asc3550.sys 16384 bytes (Advanced System Products, Inc., AdvanSys Ultra-Wide PCI SCSI Driver)
0xF7A94000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver)
0xF7A78000 cpqarray.sys 16384 bytes (Microsoft Corporation, Compaq Drive Array Controllers SCSI Miniport Driver)
0xF7A84000 dac960nt.sys 16384 bytes (Microsoft Corporation, Mylex Disk Array Controller Driver)
0xAC16F000 C:\WINDOWS\system32\GTNDIS5.SYS 16384 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 Protocol Driver)
0xF7A90000 ini910u.sys 16384 bytes (Microsoft Corporation, INITIO ini910u SCSI miniport)
0xED3CF000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF5EC3000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB56F4000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7B4C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7A80000 symc810.sys 16384 bytes (Symbios Logic Inc., Symbios Logic Inc. SCSI Miniport Driver)
0xF7A88000 amsint.sys 12288 bytes (Microsoft Corporation, AMD SCSI/NET Controller)
0xF7A74000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB807E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xACF01000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7B54000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA3E2000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF5EBF000 C:\WINDOWS\system32\drivers\WmBEnum.sys 12288 bytes (Logitech Inc., Logitech WingMan Virtual Bus Enumerator Driver )
0xF7B64000 00000035 8192 bytes
0xF7B68000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xB1652000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
0xF7BE0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B74000 cd20xrnt.sys 8192 bytes (Microsoft Corporation, IBM Portable CD-ROM Drive Miniport)
0xF7B6A000 cmdide.sys 8192 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0xF7B72000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B82000 C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys 8192 bytes (Gteko Ltd., Process Trigger Driver)
0xF7B86000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF7BDE000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7BDC000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xF7B70000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7B64000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7BE2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B76000 perc2hib.sys 8192 bytes (Microsoft Corporation, PERC 2 Hibernate Driver)
0xF7BE4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7C04000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B6C000 toside.sys 8192 bytes (Microsoft Corporation, Toshiba PCI IDE Controller)
0xF7BA2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B6E000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7B66000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7D95000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D27000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB80EF000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C2C000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x86F07053 00000182 4013 bytes
==============================================
>Stealth
==============================================
0xAC464AF2 Unknown page with executable code, 1294 bytes
0x86F08995 Unknown page with executable code, 1643 bytes
0xAC45590A Unknown page with executable code, 1782 bytes
0xBA3E88AA Unknown page with executable code, 1878 bytes
0x86F0985D Unknown page with executable code, 1955 bytes
0xBA3E87D3 Unknown page with executable code, 2093 bytes
0x86F08769 Unknown page with executable code, 2199 bytes
0x86F096BA Unknown page with executable code, 2374 bytes
0xAC455498 Unknown page with executable code, 2920 bytes
0x86F0B44C Unknown page with executable code, 2996 bytes
0x86F092E4 Unknown page with executable code, 3356 bytes
0x86F062A1 Unknown page with executable code, 3423 bytes
0x86F0621A Unknown page with executable code, 3558 bytes
0x86F07211 Unknown page with executable code, 3567 bytes
0xAC4651E4 Unknown page with executable code, 3612 bytes
0x86F07053 Unknown page with executable code, 4013 bytes
0xAC462DD5 Unknown page with executable code, 555 bytes
0x86F092CB Unknown thread object [ ETHREAD 0x86F38DA8 ] TID: 180, 600 bytes
0x86F099E3 Unknown thread object [ ETHREAD 0x86F388B8 ] TID: 188, 600 bytes
0x86F0A8C3 Unknown thread object [ ETHREAD 0x86F38640 ] TID: 192, 600 bytes
0xAC466CA4 Unknown page with executable code, 860 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump 0x804DCB22-->804DCB29 [ntoskrnl.exe]
ntoskrnl.exe-->KeFindConfigurationEntry, Type: Inline - RelativeJump 0x806B2F5F-->806B2F39 [ntoskrnl.exe]
ntoskrnl.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x8057C120-->F7479216 [mfehidk.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057964C-->F74791D8 [mfehidk.sys]
ntoskrnl.exe-->NtOpenThread, Type: Inline - RelativeJump 0x805B13C6-->F74791EC [mfehidk.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x8058C3F5-->F7479240 [mfehidk.sys]
ntoskrnl.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x8057BCA8-->F747922C [mfehidk.sys]
ntoskrnl.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x80509034-->F7479200 [mfehidk.sys]
[1104]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->02B20FB6 [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->02B20047 [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->02B20F8A [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->02B20FA5 [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->02B20000 [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->02B20FE5 [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->02B2002C [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->02B2001B [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->02B30000 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->02B30FE5 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->02B30025 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->02B30036 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->02B30F5C [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->02B300A4 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->02B300B5 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->02B300D0 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->02B30F41 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->02B30F30 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->02B30FCA [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->02B30F94 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->02B30F77 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->02B30FB9 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->02B30051 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->02B3006C [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->02B30093 [unknown_code_page]
[1104]explorer.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->02B40FEF [unknown_code_page]
[1104]explorer.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->02B40FC3 [unknown_code_page]
[1104]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->02B40FDE [unknown_code_page]
[1104]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->02AF0000 [unknown_code_page]
[1104]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->02AF0FD1 [unknown_code_page]
[1104]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->02AF0FC0 [unknown_code_page]
[1104]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->02AF0011 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->02B0000A [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00060040 [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00060076 [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00060FB9 [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->0006005B [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00060000 [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00060FE5 [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00060FD4 [unknown_code_page]
[1448]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->0006001B [unknown_code_page]
[1448]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00070000 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00070FE5 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00070FD4 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00070FB9 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00070F46 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00070F0E [unknown_code_page]
[1448]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00070EFD [unknown_code_page]
[1448]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->000700B1 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00070071 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00070082 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00070025 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00070F8D [unknown_code_page]
[1448]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->0007004C [unknown_code_page]
[1448]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00070F9E [unknown_code_page]
[1448]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00070F72 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00070F57 [unknown_code_page]
[1448]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00070F1F [unknown_code_page]
[1448]services.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00EE0FEF [unknown_code_page]
[1448]services.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00EE0FC0 [unknown_code_page]
[1448]services.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00EE0000 [unknown_code_page]
[1448]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00040FE5 [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00E00FE5 [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00E0007D [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00E00FC0 [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00E0006C [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00E00000 [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00E00036 [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00E00051 [unknown_code_page]
[1460]LSASS.EXE-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00E0001B [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00E10000 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00E10FDB [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00E10FCA [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00E10FB9 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00E10080 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00E10F29 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00E10F18 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00E10EFD [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00E10F55 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00E1009D [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00E10F9E [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00E10F83 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00E10040 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00E10025 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00E1005B [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00E10F66 [unknown_code_page]
[1460]LSASS.EXE-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00E10F3A [unknown_code_page]
[1460]LSASS.EXE-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00E30FEF [unknown_code_page]
[1460]LSASS.EXE-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00E30FD4 [unknown_code_page]
[1460]LSASS.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00E30014 [unknown_code_page]
[1460]LSASS.EXE-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00DE0000 [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00650FA8 [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->0065002F [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->0065004A [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00650F8D [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00650FEF [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00650FD4 [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00650FB9 [unknown_code_page]
[1628]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00650000 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->006E0000 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->006E0011 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->006E002C [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->006E0047 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->006E0FA5 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->006E0F77 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->006E0F5C [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->006E0110 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->006E00D0 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->006E00E1 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->006E0FDB [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->006E0FCA [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->006E0089 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->006E006C [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->006E009A [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->006E00B5 [unknown_code_page]
[1628]SVCHOST.EXE-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->006E0F88 [unknown_code_page]
[1628]SVCHOST.EXE-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->006F0FEF [unknown_code_page]
[1628]SVCHOST.EXE-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->006F0FCA [unknown_code_page]
[1628]SVCHOST.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->006F0000 [unknown_code_page]
[1628]SVCHOST.EXE-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00630000 [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00930FAF [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00930047 [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00930058 [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00930036 [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00930FE5 [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00930000 [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->0093001B [unknown_code_page]
[1700]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00930FCA [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00940000 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->0094001B [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00940FE5 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00940FD4 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00940F61 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->009400A7 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->009400B8 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->009400D3 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->0094008C [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00940F3A [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00940036 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00940FB9 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00940FA8 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00940051 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00940F97 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00940F72 [unknown_code_page]
[1700]SVCHOST.EXE-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00940F29 [unknown_code_page]
[1700]SVCHOST.EXE-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->009A0000 [unknown_code_page]
[1700]SVCHOST.EXE-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->009A0022 [unknown_code_page]
[1700]SVCHOST.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->009A0011 [unknown_code_page]
[1700]SVCHOST.EXE-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->0091000A [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->02280054 [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->02280FC3 [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->02280FB2 [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->02280065 [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->02280FEF [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->02280025 [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->02280FDE [unknown_code_page]
[1740]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->02280014 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->023A0FEF [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->023A000A [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->023A0FCA [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->023A0FB9 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->023A0F52 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->023A0F04 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->023A009D [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->023A0EE9 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->023A0F41 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->023A0F30 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->023A001B [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->023A0036 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->023A0F6D [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->023A0F9E [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->023A0047 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->023A0062 [unknown_code_page]
[1740]SVCHOST.EXE-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->023A0F1F [unknown_code_page]
[1740]SVCHOST.EXE-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->02B4000A [unknown_code_page]
[1740]SVCHOST.EXE-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->02B40FEF [unknown_code_page]
[1740]SVCHOST.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->02B40025 [unknown_code_page]
[1740]SVCHOST.EXE-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->02250FE5 [unknown_code_page]
[1740]SVCHOST.EXE-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->02250000 [unknown_code_page]
[1740]SVCHOST.EXE-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->0225001B [unknown_code_page]
[1740]SVCHOST.EXE-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->02250FD4 [unknown_code_page]
[1740]SVCHOST.EXE-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->02260000 [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->0096005B [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->0096006C [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00960FB9 [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00960FD4 [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->0096000A [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00960025 [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00960040 [unknown_code_page]
[1964]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00960FEF [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->0097000A [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00970FE5 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->0097001B [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00970FCA [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00970091 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->009700BD [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00970F24 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->009700D8 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->00970F64 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00970F53 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00970FB9 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00970054 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00970065 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00970FA8 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00970F8B [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00970080 [unknown_code_page]
[1964]SVCHOST.EXE-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->009700AC [unknown_code_page]
[1964]SVCHOST.EXE-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00980000 [unknown_code_page]
[1964]SVCHOST.EXE-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00980FDB [unknown_code_page]
[1964]SVCHOST.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00980011 [unknown_code_page]
[1964]SVCHOST.EXE-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00940000 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->CopyFileA, Type: IAT modification 0x00406044-->03A641E8 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->ExitProcess, Type: IAT modification 0x00406050-->FC45C6FF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->FreeEnvironmentStringsA, Type: IAT modification 0x00406070-->B815FFFF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->FreeEnvironmentStringsW, Type: IAT modification 0x00406074-->FF004596 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetACP, Type: IAT modification 0x0040602C-->14C48300 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetCommandLineA, Type: IAT modification 0x00406058-->8B004596 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetCPInfo, Type: IAT modification 0x00406030-->844D8D50 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetCurrentProcess, Type: IAT modification 0x00406064-->448D8D0F [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x0040608C-->00459690 [I3DZpvTXX01Nos.exe]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetDateFormatA, Type: IAT modification 0x00406034-->0BFC45C6 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetEnvironmentStrings, Type: IAT modification 0x0040607C-->5900046D [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetEnvironmentStringsW, Type: IAT modification 0x00406080-->448D8D50 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetFileType, Type: IAT modification 0x00406088-->15FF0C75 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0040606C-->FFFF4485 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x00406048-->8D016A00 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetOEMCP, Type: IAT modification 0x00406028-->02358BE8 [INDEX.DAT]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040604C-->FFFF648D [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetStartupInfoA, Type: IAT modification 0x00406054-->B815FF07 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetStdHandle, Type: IAT modification 0x00406084-->FFFFFFFF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetStringTypeA, Type: IAT modification 0x00406008-->0004663C [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetStringTypeW, Type: IAT modification 0x00406004-->E807FC45 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GetVersion, Type: IAT modification 0x0040605C-->89538845 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->GlobalAlloc, Type: IAT modification 0x00406038-->000654E8 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->HeapCreate, Type: IAT modification 0x004060A8-->8D016A59 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->HeapDestroy, Type: IAT modification 0x004060A4-->59000369 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x004060B8-->68004596 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->LCMapStringA, Type: IAT modification 0x00406010-->8D50FFFF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->LCMapStringW, Type: IAT modification 0x0040600C-->FF14858D [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00406018-->84E850FF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->MultiByteToWideChar, Type: IAT modification 0x00406014-->FFFF6485 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->SetHandleCount, Type: IAT modification 0x00406000-->C6E875FF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->TerminateProcess, Type: IAT modification 0x00406060-->458A0C45 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->TlsAlloc, Type: IAT modification 0x00406094-->45C6FFFF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->TlsGetValue, Type: IAT modification 0x0040609C-->FFFF5485 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->TlsSetValue, Type: IAT modification 0x00406090-->FF44858D [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x00406068-->88FFFFFF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->VirtualAlloc, Type: IAT modification 0x00406020-->50A4458D [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->VirtualFree, Type: IAT modification 0x004060AC-->FFFF448D [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x00406078-->37E80C75 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->kernel32.dll-->WriteFile, Type: IAT modification 0x004060B4-->B815FF0E [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->user32.dll-->DeferWindowPos, Type: IAT modification 0x004060C8-->8953008B [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->user32.dll-->GetDlgCtrlID, Type: IAT modification 0x004060CC-->458A0C45 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->user32.dll-->GetKeyboardState, Type: IAT modification 0x004060D4-->C6FFFFFF [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->user32.dll-->GetNextDlgTabItem, Type: IAT modification 0x004060D8-->880FFC45 [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->user32.dll-->SetWindowTextA, Type: IAT modification 0x004060D0-->648D8D0F [unknown_code_page]
[2196]I3DZpvTXX01Nos.exe-->user32.dll-->ShowWindow, Type: IAT modification 0x004060C4-->FFFFBF8E [unknown_code_page]
[2324]mfevtps.exe-->crypt32.dll-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x77A81044-->00407740 [mfevtps.exe]
[2324]mfevtps.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A8120C-->004077A0 [mfevtps.exe]
[2480]sqlservr.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->0E4E0FE5 [unknown_code_page]
[2480]sqlservr.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->0E4E007D [unknown_code_page]
[2480]sqlservr.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->0E4E0FC0 [unknown_code_page]
[2480]sqlservr.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->0E4E006C [unknown_code_page]
[2480]sqlservr.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->0E4E0000 [unknown_code_page]
[2480]sqlservr.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->0E4E0036 [unknown_code_page]
[2480]sqlservr.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->0E4E0047 [unknown_code_page]
[2480]sqlservr.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->0E4E0025 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->0E4F0FEF [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->0E4F0FCA [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->0E4F0FB9 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->0E4F0FA8 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->0E4F004C [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->0E4F0090 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->0E4F00A1 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->0E4F00B2 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->0E4F005D [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->0E4F006E [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->0E4F0F8D [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->0E4F000A [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->0E4F0F57 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->0E4F0F72 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->0E4F0F46 [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->0E4F003B [unknown_code_page]
[2480]sqlservr.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->0E4F007F [unknown_code_page]
[2480]sqlservr.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->0E50000A [unknown_code_page]
[2480]sqlservr.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->0E50002C [unknown_code_page]
[2480]sqlservr.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->0E50001B [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00910014 [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00910F83 [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00910036 [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00910025 [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00910FEF [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->00910FC3 [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00910FB2 [unknown_code_page]
[2968]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00910FD4 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->00920FEF [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00920FCA [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00920FB9 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00920000 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->00920EFC [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->0092004C [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->0092005D [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->00920E9F [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->0092001D [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00920ED5 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00920F8A [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00920F54 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00920F43 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00920F79 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->00920F28 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00920F17 [unknown_code_page]
[2968]SVCHOST.EXE-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00920EC4 [unknown_code_page]
[2968]SVCHOST.EXE-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00930000 [unknown_code_page]
[2968]SVCHOST.EXE-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00930FDB [unknown_code_page]
[2968]SVCHOST.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00930011 [unknown_code_page]
[3568]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump 0x7C810D97-->00585C0C [mssrch.dll]
[3568]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810D9C [unknown_code_page]
[3568]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810D9D [unknown_code_page]
[432]McSvHost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->62419A20 [McProxy.dll]
[432]McSvHost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->62419AE2 [McProxy.dll]
[824]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DE4706-->00940047 [unknown_code_page]
[824]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE834-->00940FB9 [unknown_code_page]
[824]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD774C-->00940076 [unknown_code_page]
[824]SVCHOST.EXE-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DE45EE-->00940FCA [unknown_code_page]
[824]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEE08-->00940000 [unknown_code_page]
[824]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7832-->0094002C [unknown_code_page]
[824]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6A8F-->00940FDB [unknown_code_page]
[824]SVCHOST.EXE-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7926-->00940011 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A24-->0095000A [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810770-->00950FEF [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C85FE94-->00950FDE [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0EF-->00950025 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81E0D7-->009500A4 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C802367-->00950F41 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332-->00950F30 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80ADB0-->009500E4 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EEE-->009500B5 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E50-->00950F6D [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D77-->00950FB9 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D4F-->00950051 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF1-->00950062 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AE5B-->00950040 [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD0-->0095007F [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A5D-->00950F8A [unknown_code_page]
[824]SVCHOST.EXE-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86158D-->00950F5C [unknown_code_page]
[824]SVCHOST.EXE-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00960000 [unknown_code_page]
[824]SVCHOST.EXE-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00960FC0 [unknown_code_page]
[824]SVCHOST.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00960FDB [unknown_code_page]
[824]SVCHOST.EXE-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->0091000A [unknown_code_page]
[824]SVCHOST.EXE-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00910FDE [unknown_code_page]
[824]SVCHOST.EXE-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00910FCD [unknown_code_page]
[824]SVCHOST.EXE-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00910FEF [unknown_code_page]
[824]SVCHOST.EXE-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB3B91-->00920000 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->CopyFileA, Type: IAT modification 0x00406034-->000007B9 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->ExitProcess, Type: IAT modification 0x00406040-->89661424 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->FreeEnvironmentStringsA, Type: IAT modification 0x00406060-->33000000 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->FreeEnvironmentStringsW, Type: IAT modification 0x00406064-->247C8DC0 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetACP, Type: IAT modification 0x004060BC-->0000013C [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetCommandLineA, Type: IAT modification 0x00406048-->A5F30000 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetCPInfo, Type: IAT modification 0x004060B8-->2444C780 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetCurrentProcess, Type: IAT modification 0x00406054-->03B224BC [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x0040607C-->0138248C [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetEnvironmentStrings, Type: IAT modification 0x0040606C-->ABF33424 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetEnvironmentStringsW, Type: IAT modification 0x00406070-->848DAB66 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetFileType, Type: IAT modification 0x00406000-->66ABF300 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0040605C-->1FB9AB66 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x00406038-->5C24BE00 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetOEMCP, Type: IAT modification 0x004060C0-->10AAE800 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040603C-->7C8D0041 [kernel32.dll]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetStartupInfoA, Type: IAT modification 0x00406044-->03B0249C [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetStdHandle, Type: IAT modification 0x00406078-->8D056A00 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetStringTypeA, Type: IAT modification 0x00406008-->C0330000 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetStringTypeW, Type: IAT modification 0x00406004-->0081B9AB [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetSystemDefaultLCID, Type: IAT modification 0x00406024-->415C44BE [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->GetVersion, Type: IAT modification 0x0040604C-->7FB9A566 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->HeapCreate, Type: IAT modification 0x00406098-->D662E850 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->HeapDestroy, Type: IAT modification 0x00406094-->52242444 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x004060AC-->03D42484 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->LCMapStringA, Type: IAT modification 0x00406010-->66000001 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->LCMapStringW, Type: IAT modification 0x0040600C-->AA24BC8D [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00406014-->A8249C89 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->MultiByteToWideChar, Type: IAT modification 0x00406028-->24BC8D00 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->SetHandleCount, Type: IAT modification 0x00406074-->0003B024 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->TerminateProcess, Type: IAT modification 0x00406050-->8D000000 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->TlsAlloc, Type: IAT modification 0x00406084-->1C245C89 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->TlsGetValue, Type: IAT modification 0x0040608C-->24548DFF [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->TlsSetValue, Type: IAT modification 0x00406080-->51500000 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x00406058-->ABF30000 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->VirtualAlloc, Type: IAT modification 0x0040601C-->B9AB66AB [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->VirtualAllocEx, Type: IAT modification 0x00406030-->A5F3C033 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->VirtualFree, Type: IAT modification 0x0040609C-->4C8DFFFF [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x00406068-->5C896636 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->kernel32.dll-->WriteFile, Type: IAT modification 0x004060A8-->8D046A54 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->user32.dll-->FindWindowExA, Type: IAT modification 0x004060D4-->03EC2484 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->user32.dll-->GetKeyboardState, Type: IAT modification 0x004060D0-->8D046A6C [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->user32.dll-->GetWindow, Type: IAT modification 0x004060CC-->24548D51 [unknown_code_page]
[944]yEfRqQhDUGAmlI.exe-->user32.dll-->ShowOwnedPopups, Type: IAT modification 0x004060C8-->046A3C24 [unknown_code_page]
SilentJim is offline  
Old 11-29-2011, 03:14 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, SilentJim. RKU should have run in Safe Mode after running that regfix.

Download OTL.exe and Save it to your Desktop.
  • Right-click OTL.exe and choose 'Run as administrator' to start the tool.
  • Check the Scan All Users checkbox.
  • Copy/paste the following into the Custom Scans/Fixes box:

    netsvcs
    %systemdrive%\iastor.sys /s /md5


  • Click Run Scan and let the program run uninterrupted.
  • When the scan is complete, two text files will be created, OTL.Txt <- this one will be opened in Notepad and Extras.Txt, on Desktop.
Please copy/paste the contents of OTL.Txt in your next reply and attach the Extras.Txt to your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 04:23 PM   #14
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



OTL would not run in safe mode. (I installed the reg.fix, just forgot to mention it.) Rebooted into normal mode, Right clicked and selected to run as administrator, but an error message popped up:
"Unable to log on:
Logon Failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced."
(Rebooted back to safe mode)

If you don't mind me asking, what's the story so far? Are all these scans finding anything?

Another thing, is it permissible to use "Unhide"? I would like to verify that files are still present and maybe do some more backups. The virus hides my external drive, and I'd like to disconnect it.
SilentJim is offline  
Old 11-29-2011, 04:45 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, SilentJim. Yes, you can run unhide.exe anytime you want. Make sure you don't empty any of your temp folders.

Yes, I see the System Fix files, etc., just trying to find the cause of the BSODs.

I'd like you to update MBAM and run a Quick Scan in Safe Mode with Networking. Please post the log in your next reply.

Next, download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (Vista/Win7 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :filefind
    iastor.*
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 06:42 PM   #16
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



First: The results of the MBAM quick scan are below. I "fixed" the problems it detected.

I probably should have mentioned: The iastor.sys BSODs are likely due to a common problem with Dell computers manufactured around 2006. I had a similar problem on another computer (the one I'm using now) which made the computer unbootable, requiring a clean sweep. In my non-expert opinion, the BSODs are unrelated to the System Fix virus.

By the way, when transferring the latest MBAM log to THIS computer, I had a window flash up from McAfee saying it had stopped a trojan. Wonderful.



Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8275

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/29/2011 7:26:22 PM
mbam-log-2011-11-29 (19-26-16).txt

Scan type: Quick scan
Objects scanned: 182448
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yEfRqQhDUGAmlI.exe (Trojan.FakeAlert) -> Value: yEfRqQhDUGAmlI.exe -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\yefrqqhdugamli.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\all users\application data\i3dzpvtxx01nos.exe (Rogue.FakeAlert) -> No action taken.
SilentJim is offline  
Old 11-29-2011, 07:30 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You only get the BSODs when running our tools?

How does Normal Mode behave now?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-29-2011, 07:55 PM   #18
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



Correct. I am not aware of any BSODs due to iastor.sys occurring on that computer until I tried running DSS and then ComboFix.

I rebooted into normal mode after the latest MBAM scan,

and the the System Fix DID NOT start!

I can only see the few files I transferred to the desktop, but it looks like we're making progress. Processes appear to be normal except for "services.exe" which is hogging 200-some megs of memory and about 80% of the CPU.

Awaiting further instructions...

By the way, I started a McAfee scan of THIS computer, and found 9 problems after 20% completed (I never find anything).
SilentJim is offline  
Old 11-29-2011, 09:04 PM   #19
Registered Member
 
Join Date: Apr 2005
Location: Arizona
Posts: 93
OS: Windows 10



I'm shutting down for the night. Further instructions will not be addressed until tomorrow morning.
SilentJim is offline  
Old 11-30-2011, 04:11 AM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, SilentJim.

Quote:
I started a McAfee scan of THIS computer, and found 9 problems after 20% completed
I can only address one computer at a time.

------------------------------------------------------
  • Double-click SystemLook.exe to run it. (Vista/Win7 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :filefind
    iastor.*
    
    :dir
    %temp%\smtmp* /s
    
    :regfind
    Normandy
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------

See if OTL will run in Normal Mode.

Double-click OTL to start the tool.
  • Click Run Scan and let the program run uninterrupted.
  • When the scan is complete, two text files will be created, OTL.Txt <- this one will be opened in Notepad and Extras.Txt, on Desktop.
Please copy/paste the contents of OTL.Txt in your next reply and attach the Extras.Txt to your next reply.

------------------------------------------------------

If OTL still won't run, please run RSIT again and post the log.txt in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virus Removal Assistance Requested
I am helping my Fiances cousin with her desktop. She told me she thought she had a virus (or malware) and she definitely does. It appears she's infected with the "Windows Restore" virus (or malware). I have ran DDS and attached what I could. I would run GMER on the machine both in safe mode and...
tigerfansince84 Resolved HJT Threads 13 04-26-2011 06:56 PM
Windows Recovery Virus destroyed my computer
Hi all. I recently got the window's recovery virus on my computer. I wasn't aware of this virus, so I ran the "recovery" program as requested. I then noticed that something didn't seem right, so I restarted the computer. When I restarted I simply had a black screen and no programs other than...
netgame27 Virus/Trojan/Spyware Help 1 04-23-2011 03:07 PM
[SOLVED] Yet Another Antivira Av Virus :(
so I've gotten this virus Antivira Av that will pop up and say that I'm under attack... obviously fake. right now I'm in safe mode as i can't open anything other than the internet without Antivira closing it out. I couldn't find a save button for the Gmer log, so if necessary i can run it again...
chuckles3 Resolved HJT Threads 22 03-05-2011 10:39 PM
Troubleshoot! A Virus. OH, NO!
:wave: Hello, This first time I have ever gotten a virus on my labtop since I've gotten it. Ugh, very fustrating, also, I'm the type of person whose a do it herself person, plus I literally have no money to spend on professional help or professional programs. I've spend quite a bit of...
Lishy Inactive Malware Help Topics 0 01-25-2011 11:57 AM
Power Supply Information and Selection
:smile: CHOOSING AND UNDERSTANDING A POWER SUPPLY UNIT The power supply unit in today’s modern computer assumes a role probably more critical than any other single component in your system even when compared to the CPU and motherboard. Therefore, there are multiple factors that must...
Tumbleweed36 RAM and Power Supply Support 0 07-09-2006 03:41 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:40 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts