WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

XP 2011 Security and Windows Fix Disk Virus

Started by Chelli , Apr 26 2011 02:14 PM

This topic is locked

87 replies to this topic

#76 Chelli

Authentic Member

Authentic Member
48 posts

Posted 09 May 2011 - 09:22 AM

Sorry for the delay in response.

Let me know what operating system the other computers have.

LiveReg (Symantec Corporation)
LiveUpdate 2.0 (Symantec Corporation)

You can uninstall them if you wish.

Uninstalled

You also have this program installed, McAfee Security Scan Plus. It probably installed with an Adobe product. I find it a bit of a nucience. You can uninstall it if you want to.

I think I uninstalled this when I uninstalled AVG rather than making sure it was disarmed.

From your desktop, please delete, if present
any notepads/logs that we created
GMER (lrdpjyz9.exe)
MBRCheck.exe
aswMBR.exe
RogueKiller
TDSSKiller

Next

Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK
Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

Done

I suggest you keep MBAM. Keep it updated and use it regularly.

Kept and will use.

ESET online scan can be removed via add/remove programs.

Done

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

I have a router but how do I know if I am protected behind the windows firewall?

You will need to reinstall the Custom Hosts file that Spybot had previously installed.
1-Left-click the "Spybot - Search & Destroy" shortcut to open the program
2-Right-click an item in the list of immunizations and click "Deselect All."
3-Scroll down to the bottom of the list and click the checkbox to the left of "Global (Hosts)" under the "Windows" header.
4-Click "Immunize" on the Spybot toolbar.

I think I uninstalled spybot when I uninstalled AVG. Will this be a problem?

-Secure your Internet Explorer

Done

-- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System

Done... but should the "Turn off system restore" be checked?

Advertisements

Register to Remove

#77 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 09 May 2011 - 08:29 PM

Hi Chelli,

I have a router but how do I know if I am protected behind the windows firewall?

Most routers have a builtin firewall. What brand is it?

I think I uninstalled spybot when I uninstalled AVG. Will this be a problem?

Not really but Teatimer when enabled, does provide realtime monitoring. Spybot can also be used to create a Custom Hosts file. There are other ways of installing a Custom Hosts if you don't wan to use Spybot, let me know.

Done... but should the "Turn off system restore" be checked?

No the box should not have a check mark in it.

Do the other computers have any specific symptoms?

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#78 Chelli

Authentic Member

Authentic Member
48 posts

Posted 10 May 2011 - 08:56 AM

Most routers have a builtin firewall. What brand is it?

Linksys

Not really but Teatimer when enabled, does provide realtime monitoring. Spybot can also be used to create a Custom Hosts file. There are other ways of installing a Custom Hosts if you don't want to use Spybot, let me know.

I will reinstall Spybot & Teatimer.

No the box should not have a check mark in it.

I unchecked the "turn off system restore" and it is now monitoring (C:)

Do the other computers have any specific symptoms?

One computer only boots up to a windows screen that is missing all icons except one... windows fix disk... and under start it says "empty".

One computer seems to work ok with showing program files & icons but it originally showed the Windows XP 2011 virus that seemed to start this network nightmare.

It "clicks" alot all by itself. This is my son's school computer and the one we should probably fix first.

#79 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 10 May 2011 - 09:02 PM

Hi Chelli,

Linksys does seem to have a firewall. What is the model?

As requested we'll work on the school computer. Let's start with the basic scans and see what going on.

Download OTL to your desktop.

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
/md5stop
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Next

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Safe Mode

Next

Download RogueKiller to your desktop

Quit all running programs
When prompted, type 1 and validate
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Please post back with

both OTL logs
GMER log
RogueKiller log

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#80 Chelli

Authentic Member

Authentic Member
48 posts

Posted 11 May 2011 - 02:33 PM

Linksys does seem to have a firewall. What is the model?

WRT54GS

**************************************
OTL.txt:

OTL logfile created on: 5/11/2011 3:36:55 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Parent\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 81.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 57.51 Gb Free Space | 77.16% Space Free | Partition Type: NTFS

Computer Name: K12-61F27174AE0 | User Name: Parent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Parent\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\LSI SoftModem\agrsmsvc.exe (LSI Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Parent\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (QueryExplorer Service) -- File not found
SRV - (RumorServer) -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe (McAfee, Inc.)
SRV - (myAgtSvc) -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (AgereModemAudio) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe (LSI Corporation)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (MfeAVFK) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (MfeBOPK) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (MfeRKDK) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (LSI Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.k12.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.k12.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {1c9b96a0-cba2-482e-9c40-9200b547123a} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {392d065e-4679-4d12-8342-2a2d505fd309} - C:\Program Files\Quizulous2\tbQuiz.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\ShopperReports@ShopperReports.com: C:\Program Files\ShopperReports3\bin\3.0.497.0\firefox\firefoxtoolbar\extensions [2010/10/14 13:14:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\HBLite@HBLite.com: C:\Program Files\HBLite\bin\11.0.264.0\firefox\extensions [2010/10/14 13:15:58 | 000,000,000 | ---D | M]

[2010/11/10 11:13:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Extensions
[2010/11/10 11:13:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Extensions\IMVUClientXUL@imvu.com

O1 HOSTS File: ([2002/12/31 08:00:00 | 000,002,670 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 72.52.4.76 www.limewire.com
O1 - Hosts: 72.52.4.76 www.frostwire.com
O1 - Hosts: 72.52.4.76 www.bit-torrent.com
O1 - Hosts: 72.52.4.76 www.bearshare.com
O1 - Hosts: 72.52.4.76 www.zeropaid.com
O1 - Hosts: 72.52.4.76 www.felmlee.com
O1 - Hosts: 72.52.4.76 www.gnutelliums.com
O1 - Hosts: 72.52.4.76 phex.sourceforge.net
O1 - Hosts: 72.52.4.76 www.revolutionarystuff.com
O1 - Hosts: 72.52.4.76 www.xolox.nl
O1 - Hosts: 72.52.4.76 www.grokster.com
O1 - Hosts: 72.52.4.76 www.morpheus.com
O1 - Hosts: 72.52.4.76 www.music-e.net
O1 - Hosts: 72.52.4.76 www.chadsmp3s.com
O1 - Hosts: 72.52.4.76 www.napster.com
O1 - Hosts: 72.52.4.76 www.napstermp3.com
O1 - Hosts: 72.52.4.76 www.shareaza.com
O1 - Hosts: 72.52.4.76 www.neo-modus.com
O1 - Hosts: 72.52.4.76 www.filetopia.org
O1 - Hosts: 72.52.4.76 www.imesh.com
O1 - Hosts: 72.52.4.76 www.gnutellaforums.com
O1 - Hosts: 72.52.4.76 www.kazaa.com
O1 - Hosts: 72.52.4.76 www.torrent-finder.com
O1 - Hosts: 72.52.4.76 www.sharetv.org
O1 - Hosts: 27 more lines...
O2 - BHO: (Productivity Toolbar) - {1c9b96a0-cba2-482e-9c40-9200b547123a} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
O2 - BHO: (ShoppingReport2) - {258C9770-1713-4021-8D7E-1F184A2BD754} - C:\Program Files\ShoppingReport2\Bin\2.7.27\ShoppingReport.dll (SmartShopper Networks)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Quizulous2 Toolbar) - {392d065e-4679-4d12-8342-2a2d505fd309} - C:\Program Files\Quizulous2\tbQuiz.dll (Conduit Ltd.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110304131040.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Productivity Toolbar) - {1c9b96a0-cba2-482e-9c40-9200b547123a} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Quizulous2 Toolbar) - {392d065e-4679-4d12-8342-2a2d505fd309} - C:\Program Files\Quizulous2\tbQuiz.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKCU\..\Toolbar\WebBrowser: (Productivity Toolbar) - {1C9B96A0-CBA2-482E-9C40-9200B547123A} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Quizulous2 Toolbar) - {392D065E-4679-4D12-8342-2A2D505FD309} - C:\Program Files\Quizulous2\tbQuiz.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [HBLiteSA] C:\Program Files\HBLite\bin\11.0.264.0\HBLiteSA.exe (Pinball Corporation.)
O4 - HKLM..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe ()
O4 - HKLM..\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe (RICOH CO.,LTD.)
O4 - HKLM..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe (McAfee, Inc.)
O4 - HKCU..\Run: [Mbfsfe] File not found
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - File not found
O9 - Extra Button: ShopperReports - Compare product prices - {DB38E21A-0133-419d-92AD-ECDFD5244D6D} - C:\Program Files\ShoppingReport2\Bin\2.7.27\ShoppingReport.dll (SmartShopper Networks)
O9 - Extra Button: ShopperReports - Compare travel rates - {EB620C54-E229-4942-87CE-E717109FC8C6} - C:\Program Files\ShoppingReport2\Bin\2.7.27\ShoppingReport.dll (SmartShopper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.221.32.125 209.221.32.124
O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.811.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Parent\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Parent\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/23 19:10:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{346f8dde-9cc2-11df-840b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{346f8dde-9cc2-11df-840b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{346f8dde-9cc2-11df-840b-806d6172696f}\Shell\AutoRun\command - "" = D:\StartBurn.bat
O33 - MountPoints2\{b7353bb6-7eda-11df-9d30-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{b7353bb6-7eda-11df-9d30-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7353bb6-7eda-11df-9d30-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\Parent\Local Settings\Application Data\otf.exe" -a "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

File not found --
[2011/05/11 15:34:52 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Parent\Desktop\OTL.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/11 15:35:10 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Parent\Desktop\OTL.exe
[2011/05/11 14:58:29 | 000,311,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/11 14:58:29 | 000,040,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/11 14:53:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/11 14:53:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/11 14:53:40 | 000,045,668 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2011/05/11 14:53:36 | 2011,512,832 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/10 08:13:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/04 13:36:02 | 000,000,226 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\Click to go to Study Island..url
[2011/04/15 03:19:39 | 000,259,048 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/15 03:03:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/02 12:28:17 | 000,011,628 | -HS- | C] () -- C:\Documents and Settings\Parent\Local Settings\Application Data\1051646004
[2011/03/02 12:28:17 | 000,011,628 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1051646004
[2011/01/11 14:21:28 | 000,000,319 | ---- | C] () -- C:\WINDOWS\SWWATER.INI
[2010/10/04 12:00:59 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Parent\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/21 14:56:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2010/09/21 14:56:02 | 000,027,489 | ---- | C] () -- C:\WINDOWS\RicDB.ini
[2010/09/21 14:55:45 | 000,000,226 | ---- | C] () -- C:\WINDOWS\PMJobCli.ini
[2010/09/21 14:55:44 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\PMObservps.dll
[2010/09/21 14:55:36 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RLPR.dll
[2010/09/21 14:55:36 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\rtcpf.dll
[2010/09/21 14:55:34 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\rpnv2ui.dll
[2010/09/21 14:55:34 | 000,270,336 | R--- | C] () -- C:\WINDOWS\System32\rpnv2job.dll
[2010/09/21 14:55:27 | 000,012,027 | ---- | C] () -- C:\WINDOWS\PMRicMb.ini
[2010/09/21 14:55:27 | 000,006,702 | ---- | C] () -- C:\WINDOWS\PMRicPMb.ini
[2010/09/21 14:55:27 | 000,005,390 | ---- | C] () -- C:\WINDOWS\PMPrtMb.ini
[2010/09/21 14:55:27 | 000,003,611 | ---- | C] () -- C:\WINDOWS\PMRicFMb.ini
[2010/09/21 14:55:27 | 000,003,005 | ---- | C] () -- C:\WINDOWS\PMDvPrn.ini
[2010/09/21 14:55:27 | 000,002,087 | ---- | C] () -- C:\WINDOWS\PMDvDev.ini
[2010/09/21 14:55:27 | 000,002,047 | ---- | C] () -- C:\WINDOWS\PMDIOMb.ini
[2010/09/21 14:55:27 | 000,002,036 | ---- | C] () -- C:\WINDOWS\PMHostMb.ini
[2010/09/21 14:55:27 | 000,001,885 | ---- | C] () -- C:\WINDOWS\PMPSIOMb.ini
[2010/09/21 14:55:27 | 000,001,727 | ---- | C] () -- C:\WINDOWS\PMRicSMb.ini
[2010/09/21 14:55:27 | 000,001,706 | ---- | C] () -- C:\WINDOWS\PMRicCMb.ini
[2010/09/21 14:55:27 | 000,001,494 | ---- | C] () -- C:\WINDOWS\PMMib2Mb.ini
[2010/09/21 14:55:27 | 000,001,143 | ---- | C] () -- C:\WINDOWS\PMDPIMb.ini
[2010/09/21 14:55:27 | 000,001,094 | ---- | C] () -- C:\WINDOWS\PMAxsMb.ini
[2010/09/21 14:55:27 | 000,000,994 | ---- | C] () -- C:\WINDOWS\PMDvFax.ini
[2010/09/21 14:55:27 | 000,000,842 | ---- | C] () -- C:\WINDOWS\PMDvScan.ini
[2010/09/21 14:55:27 | 000,000,423 | ---- | C] () -- C:\WINDOWS\PMDvCopy.ini
[2010/09/21 14:55:27 | 000,000,332 | ---- | C] () -- C:\WINDOWS\PMSnmpMb.ini
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApisv.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApipt.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApipl.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApino.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApinl.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApiit.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApihu.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApifr.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApifi.dll
[2010/09/21 14:55:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApies.dll
[2010/09/21 14:55:24 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApide.dll
[2010/09/21 14:55:24 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApida.dll
[2010/09/21 14:55:24 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PMApics.dll
[2010/07/31 12:50:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/06/23 19:19:11 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/06/23 19:14:44 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/23 19:07:23 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/23 12:03:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2010/06/23 12:00:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/23 11:59:47 | 000,259,048 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/12/31 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/12/31 08:00:00 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2002/12/31 08:00:00 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2002/12/31 08:00:00 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2002/12/31 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/12/31 08:00:00 | 000,311,934 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/12/31 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/12/31 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/12/31 08:00:00 | 000,176,214 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2002/12/31 08:00:00 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\ATIBRTMON.EXE
[2002/12/31 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/12/31 08:00:00 | 000,040,196 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/12/31 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/12/31 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/12/31 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/12/31 08:00:00 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/31 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2002/12/31 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/10/14 13:15:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
[2010/09/07 10:15:35 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/12/12 20:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2010/11/03 18:13:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX
[2010/09/07 10:35:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2011/03/02 11:20:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2010/11/03 17:44:01 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2010/09/07 10:35:49 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenu
[2011/03/09 23:59:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HBLiteSA
[2010/11/11 14:09:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2011/01/06 10:07:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QueryExplorer
[2010/12/25 12:39:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/12/13 21:47:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Canon
[2010/11/08 20:54:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Canon Easy-WebPrint EX
[2010/10/12 10:50:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Elluminate
[2010/10/14 13:15:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\HBLite
[2011/03/02 11:20:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\IMVU
[2010/11/10 11:13:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\IMVUClient
[2011/05/11 14:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\PriceGong
[2010/10/14 13:18:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\ShopperReports3
[2011/05/10 15:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\ShoppingReport2
[2010/10/14 14:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Unity
[2010/11/10 11:37:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Vivox
[2010/12/11 15:38:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\WeatherBug

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/06/23 19:10:27 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/09/03 15:38:01 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/06/23 19:10:27 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/05/11 14:53:36 | 2011,512,832 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/23 19:10:27 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/23 19:10:27 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2002/12/31 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2002/12/31 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/05/11 14:53:36 | 2011,443,200 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/06/23 19:09:54 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2010/02/04 05:00:00 | 000,027,648 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD9W.DLL
[2010/02/04 05:00:00 | 000,070,656 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP9W.DLL
[2002/12/31 08:00:00 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/06/23 11:57:54 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/06/23 11:57:54 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/06/23 11:57:54 | 000,925,696 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lîk /x >
[2010/06/23 19:10:30 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
[2010/09/03 16:05:33 | 000,002,433 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\New Office Document.lnk
[2010/06/23 19:18:44 | 000,002,002 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Open Office Document.lnk
[2010/06/23 19:10:30 | 000,001,607 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
[2010/06/23 19:10:30 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
[2010/06/23 19:10:30 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >
[1 C:\WINDOWS\system32\config\systemprofile\*.tmp files -> C:\WINDOWS\system32\config\systemprofile\*.tmp -> ]

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Deskuop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-04-28 07:01:45

< MD5 for: EXPLORER.EXE >
[2002/12/31 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2002/12/31 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: EXPLORER.SCF >
[2002/12/31 08:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CHM >
[2002/12/31 08:00:00 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie7\iexplore.chm
[2006/09/01 11:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- C:\WINDOWS\Help\iexplore.chm

< MD5 for: IEXPLORE.EXE >
[2010/12/20 07:25:27 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=091D358EFC9D22901BD879EF37F0DAC4 -- C:\WINDOWS\ie7updates\KB2497640-IE7\iexplore.exe
[2010/06/17 11:12:57 | 000,634,656 | ---- | M] (Microsoft Corporation) MD5=203E897F843D56496E2CC101DFF6CE34 -- C:\WINDOWS\ie7updates\KB2360131-IE7\iexplore.exe
[2002/12/31 08:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ie7\iexplore.exe
[2010/10/18 07:07:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=72D1F43C4146D312B0DB6AB98C21340E -- C:\WINDOWS\ie7updates\KB2482017-IE7\iexplore.exe
[2010/06/17 10:45:15 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B0BC6DC9C9277250C5C8F7B7A48A02CC -- C:\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\iexplore.exe
[2010/12/20 06:49:55 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B74CBEBA34E3CAA2CCACC87FEE8A16C0 -- C:\WINDOWS\$hf_mig$\KB2482017-IE7\SP3QFE\iexplore.exe
[2010/10/18 06:36:30 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=DA6E1F0F1932B62DD2F6ED05541C555C -- C:\WINDOWS\$hf_mig$\KB2416400-IE7\SP3QFE\iexplore.exe
[2007/08/13 21:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- C:\WINDOWS\ie7updates\KB2183461-IE7\iexplore.exe
[2011/02/14 07:36:55 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E3CC8CCF21BFDC954255BB17083FB9F0 -- C:\WINDOWS\$hf_mig$\KB2497640-IE7\SP3QFE\iexplore.exe
[2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E4A798DFDE7FE6E79F23548F0EF0F844 -- C:\Program Files\Internet Explorer\iexplore.exe
[2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E4A798DFDE7FE6E79F23548F0EF0F844 -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2010/08/25 07:30:33 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E5412ED9E07C42C20C48D3FF71E6B1E8 -- C:\WINDOWS\ie7updates\KB2416400-IE7\iexplore.exe
[2010/08/25 07:07:58 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=F047BEB9771E45A05F425499A30F9BBA -- C:\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2007/08/13 21:43:36 | 000,573,440 | ---- | M] (Microsoft Corporation) MD5=B58D8A1C7EE0E922EC7D2616DA136FC3 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-27122324.PF >
[2011/05/10 18:20:07 | 000,131,872 | ---- | M] () MD5=E9AB38BD507880DD8B38E1DA8639FBD9 -- C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

< MD5 for: IEXPLORE.HLP >
[2002/12/31 08:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp

< MD5 for: WINLOGON.EXE >
[2002/12/31 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2002/12/31 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >

*********************************************

Extra.txt

OTL Extras logfile created on: 5/11/2011 3:36:55 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Parent\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 81.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 57.51 Gb Free Space | 77.16% Space Free | Partition Type: NTFS

Computer Name: K12-61F27174AE0 | User Name: Parent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56394:TCP" = 56394:TCP:*:Enabled:Pando Media Booster
"56394:UDP" = 56394:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"56394:TCP" = 56394:TCP:*:Enabled:Pando Media Booster
"56394:UDP" = 56394:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- (McAfee, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- (McAfee, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series" = Canon MP250 series MP Drivers
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}" = Visual C++ 8.0 x86 Runtime Setup Package
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{8F018A9E-56DE-4A79-A5EF-25F413F1D538}" = WeatherBug
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F44F0A3A-2110-4705-B5EC-D5B6371F53C1}" = Visual C++ 8.0 x86 Runtime Setup Package
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ATI Display Driver" = ATI Display Driver
"Canon MP250 series User Registration" = Canon MP250 series User Registration
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"conduitEngine" = Conduit Engine
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"HBLiteSA" = Hotbar
"HOTLLAMA Media Player" = HOTLLAMA Media Player
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LSI Soft Modem" = LSI PCI-SV92PP Soft Modem
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"MVS" = McAfee Virus and Spyware Protection Service
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PMClient" = SmartNetMonitor for Client
"Productivity Toolbar" = Productivity Toolbar
"QueryExplorer" = QueryExplorer 1.0 build 119
"Quizulous2 Toolbar" = Quizulous2 Toolbar
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"ShopperReportsSA" = ShopperReports
"ShoppingReport2" = ShopperReports

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"IMVU Avatar chat client software BETA" = IMVU Avatar Chat Software
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/26/2010 10:06:48 AM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17091, faulting
module unknown, version 0.0.0.0, fault address 0x04764660.

Error - 11/8/2010 1:09:26 PM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17091, faulting
module unknown, version 0.0.0.0, fault address 0x132797d1.

Error - 12/5/2010 2:23:53 PM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17091, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x0002aaff.

Error - 12/13/2010 9:20:08 AM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17091, faulting
module unknown, version 0.0.0.0, fault address 0x002f004c.

Error - 1/28/2011 3:39:28 PM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17093, faulting
module tbprod.dll, version 6.2.6.0, fault address 0x00037712.

Error - 3/2/2011 11:27:10 AM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17095, faulting
module tbprod.dll, version 6.2.6.0, fault address 0x00037712.

Error - 3/4/2011 2:57:37 PM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17095, faulting
module unknown, version 0.0.0.0, fault address 0x103bfafe.

Error - 3/16/2011 2:02:35 PM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17095, faulting
module oleaut32.dll, version 5.1.2600.5512, fault address 0x00004942.

Error - 4/23/2011 4:09:13 PM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application 0.9632160306027376.exe, version 1.0.0.1, faulting
module unknown, version 0.0.0.0, fault address 0x80544cfd.

Error - 4/23/2011 4:09:15 PM | Computer Name = K12-61F27174AE0 | Source = Application Error | ID = 1000
Description = Faulting application 0.3750734903329507.exe, version 1.0.0.1, faulting
module unknown, version 0.0.0.0, fault address 0x80544cfd.

[ System Events ]
Error - 12/5/2010 2:02:08 PM | Computer Name = K12-61F27174AE0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 12/12/2010 8:20:25 PM | Computer Name = K12-61F27174AE0 | Source = SideBySide | ID = 16842786
Description = Component identity found in manifest does not match the identity of
the component requested

Error - 12/12/2010 8:20:25 PM | Computer Name = K12-61F27174AE0 | Source = SideBySide | ID = 16842810
Description = Syntax error in manifest or policy file "C:\Program Files\Canon\Easy-PhotoPrint
EX\Microsoft.VC80.MFCLOC.MANIFEST" on line 5.

Error - 12/12/2010 8:20:25 PM | Computer Name = K12-61F27174AE0 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Canon\Easy-PhotoPrint
EX\MFC80U.DLL. Reference error message: The operation completed successfully. .

Error - 12/12/2010 8:21:12 PM | Computer Name = K12-61F27174AE0 | Source = SideBySide | ID = 16842786
Description = Component identity found in manifest does not match the identity of
the component requested

Error - 12/12/2010 8:21:12 PM | Computer Name = K12-61F27174AE0 | Source = SideBySide | ID = 16842810
Description = Syntax error in manifest or policy file "C:\Program Files\Canon\Easy-PhotoPrint
EX\Microsoft.VC80.MFCLOC.MANIFEST" on line 5.

Error - 12/12/2010 8:21:12 PM | Computer Name = K12-61F27174AE0 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Canon\Easy-PhotoPrint
EX\MFC80U.DLL. Reference error message: The operation completed successfully. .

Error - 12/14/2010 4:17:01 AM | Computer Name = K12-61F27174AE0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 12/15/2010 1:46:30 PM | Computer Name = K12-61F27174AE0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 12/16/2010 12:29:56 PM | Computer Name = K12-61F27174AE0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

< End of report >

****************************************

Gmer.txt

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-11 16:22:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-60LSA5 rev.10.01E03
Running: 0ij3hzri.exe; Driver: C:\DOCUME~1\Parent\LOCALS~1\Temp\kwqdypod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9EAF0C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9EAF0D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9EAF100]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9EAF156]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9EAF0AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9EAF084]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9EAF098]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9EAF0EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9EAF12C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9EAF116]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9EAF180]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9EAF16C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9EAF140]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9EAF144 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A75C4 7 Bytes JMP B9EAF15A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A83DA 5 Bytes JMP B9EAF170 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6114 5 Bytes JMP B9EAF130 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C13F8 5 Bytes JMP B9EAF088 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C1684 5 Bytes JMP B9EAF09C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8DA6 5 Bytes JMP B9EAF184 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 8061925E 7 Bytes JMP B9EAF11A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8061A70E 7 Bytes JMP B9EAF0EE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061ACEC 5 Bytes JMP B9EAF0C4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061B188 7 Bytes JMP B9EAF0D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061B358 7 Bytes JMP B9EAF104 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061C0CA 5 Bytes JMP B9EAF0B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB982F000, 0x1A4422, 0xE8000020]
? C:\DOCUME~1\Parent\LOCALS~1\Temp\kwqdypob.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900022
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F81
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00A9
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0098
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F50
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00E9
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F3F
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0039
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0087
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA001E
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00CE
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9004A
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90039
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90F8D
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930FA6
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FC1
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FD2
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930031
.text C:\WINDOWS\system32\svchost.exe[660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FE3
.text C:\WINDOWS\system32\svchost.exe[660] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[660] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[660] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[660] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F81
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0090006C
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0090005B
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900F9E
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F49
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F5A
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F0C
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900F1D
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009000B6
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900040
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900091
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F38
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F94
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20089
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20FAF
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D2006C
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20F5E
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D2009A
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20F32
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20F43
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D200E6
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D2005B
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D20040
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D20025
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D200C1
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10FB2
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D1005E
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10043
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10FA1
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88]
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D1001E
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00031
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00FA6
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FD2
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FC1
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D0000C
.text C:\WINDOWS\system32\lsass.exe[844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F00FC3
.text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F4009A
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40089
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40062
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40051
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F400D2
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F8A
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F6F
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400FE
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40123
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F400AB
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40025
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40014
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400ED
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30F54
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30F6F
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30F94
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20F86
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20FA1
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20FBC
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FD7
.text C:\WINDOWS\system32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C5001B
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90069
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C9004E
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90F80
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90F91
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FC0
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C900B2
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90095
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F48
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900D7
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900F2
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9003D
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90084
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FDB
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F59
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FCD
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80054
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80F97
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C80039
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C80FB2
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70FC6
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70FE3
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C6000A
.text C:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 018B0000
.text C:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 018B0040
.text C:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 018B0025
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02200FEF
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0220006A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02200F75
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02200F86
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02200FA1
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02200FB2
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02200F3D
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02200085
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022000A0
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02200F11
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022000BB
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02200043
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02200FDE
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02200F5A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02200FC3
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02200014
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02200F2C
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 021F0FE5
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 021F0F9B
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 021F002C
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 021F001B
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 021F0FAC
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 021F000A
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 021F0058
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 021F0047
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018E0FBC
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 018E003D
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018E0FD7
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018E0000
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018E002C
.text C:\WINDOWS\System32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018E0011
.text C:\WINDOWS\System32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 018D0000
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 018C0FEF
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 018C0FD4
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 018C000A
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 018C0025
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00860000
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00860022
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00860011
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008A0F4E
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008A0039
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008A0028
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008A0F75
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008A0FA1
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008A0F1B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008A0F2C
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008A0EDB
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008A0074
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008A008F
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008A0F90
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008A0F3D
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008A0FB2
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008A0FC3
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008A0EF6
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00890036
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0089005B
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00890FE5
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0089001B
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00890FA8
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00890FB9
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A9, 88]
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00890FD4
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0088004E
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 00880FC3
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00880029
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00880FEF
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00880FDE
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00880018
.text C:\WINDOWS\system32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00870000
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00990036
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D005E
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F69
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0043
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0F86
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0FB2
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D008A
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F4E
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0F0C
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D00A5
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0EF1
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0FA1
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D006F
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FC3
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0FD4
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0F27
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C002F
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C0F97
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0FA8
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009C0FC3
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BC, 88]
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C004A
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009B003D
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!system 77C293C7 5 Bytes JMP 009B0022
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009B0FCD
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009B0FBC
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009B0011
.text C:\WINDOWS\system32\svchost.exe[1496] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\Explorer.EXE[1696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 030A0000
.text C:\WINDOWS\Explorer.EXE[1696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 030A002C
.text C:\WINDOWS\Explorer.EXE[1696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 030A001B
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0327000A
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0327008E
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03270073
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03270F99
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03270FB6
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03270047
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03270F7E
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 032700C4
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03270F59
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 032700F2
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03270103
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03270062
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03270FE5
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 032700A9
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03270036
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03270025
.text C:\WINDOWS\Explorer.EXE[1696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 032700E1
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 031D0FAF
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 031D004E
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 031D0FCA
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 031D0FE5
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 031D003D
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 031D0000
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 031D002C
.text C:\WINDOWS\Explorer.EXE[1696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 031D001B
.text C:\WINDOWS\Explorer.EXE[1696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 031C0F9F
.text C:\WINDOWS\Explorer.EXE[1696] msvcrt.dll!system 77C293C7 5 Bytes JMP 031C0FB0
.text C:\WINDOWS\Explorer.EXE[1696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 031C0FD2
.text C:\WINDOWS\Explorer.EXE[1696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 031C0FEF
.text C:\WINDOWS\Explorer.EXE[1696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 031C0FC1
.text C:\WINDOWS\Explorer.EXE[1696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 031C000C
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 031A0FE5
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 031A0FCA
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 031A0000
.text C:\WINDOWS\Explorer.EXE[1696] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 031A0FAF
.text C:\WINDOWS\Explorer.EXE[1696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031B0000
.text C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F59
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F74
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90058
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90047
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90025
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B9007A
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90069
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90F0D
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900A6
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900C1
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90036
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F48
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90014
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90095
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B8006F
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D8, 88]
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B8004A
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70F75
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70FAB
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70F90
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FD2
.text C:\WINDOWS\system32\wuauclt.exe[2296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\wuauclt.exe[2296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090011
.text C:\WINDOWS\system32\wuauclt.exe[2296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F50
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F61
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F72
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C002F
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F24
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F35
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0EE4
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F09
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0ED3
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F83
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0060
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[2296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0087
.text C:\WINDOWS\system32\wuauclt.exe[2296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FAB
.text C:\WINDOWS\system32\wuauclt.exe[2296] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FBC
.text C:\WINDOWS\system32\wuauclt.exe[2296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FD7
.text C:\WINDOWS\system32\wuauclt.exe[2296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[2296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[2296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0011
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F72
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0F83
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0025
.text C:\WINDOWS\system32\wuauclt.exe[2296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0014

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

*************************************************

RKreport.txt

RogueKiller V5.1.1 [05/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Parent [Admin rights]
Mode: Scan -- Date : 05/11/2011 16:25:23

Bad processes: 0

Registry Entries: 5
[APPDT/TMP/DESKTOP] HKCU\[...]\Run : Mbfsfe (C:\DOCUME~1\Parent\LOCALS~1\Temp\0.3750734903329507.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKUS\S-1-5-21-3784137826-963918322-4271176276-1003[...]\Run : Mbfsfe (C:\DOCUME~1\Parent\LOCALS~1\Temp\0.3750734903329507.exe) -> FOUND
[FILEASSO] HKCU\[...]Software\Classes\exefile\shell\open\command : ("C:\Documents and Settings\Parent\Local Settings\Application Data\otf.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...]exefile\shell\open\command : ("C:\Documents and Settings\Parent\Local Settings\Application Data\otf.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\Parent\Local Settings\Application Data\otf.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

HOSTS File:
127.0.0.1 localhost
72.52.4.76 www.limewire.com
72.52.4.76 www.frostwire.com
72.52.4.76 www.bit-torrent.com
72.52.4.76 www.bearshare.com
72.52.4.76 www.zeropaid.com
72.52.4.76 www.felmlee.com
72.52.4.76 www.gnutelliums.com
72.52.4.76 phex.sourceforge.net
72.52.4.76 www.revolutionarystuff.com
72.52.4.76 www.xolox.nl
72.52.4.76 www.grokster.com
72.52.4.76 www.morpheus.com
72.52.4.76 www.music-e.net
72.52.4.76 www.chadsmp3s.com
72.52.4.76 www.napster.com
72.52.4.76 www.napstermp3.com
72.52.4.76 www.shareaza.com
72.52.4.76 www.neo-modus.com
72.52.4.76 www.filetopia.org
[...]

Finished : << RKreport[1].txt >>
RKreport[1].txt

#81 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 11 May 2011 - 11:12 PM

Hi Chelli,

Go to Control panel > add/remove programs and uninstall

ShopperReports
ShopperReports

Next

Double click on OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following
Do Not copy the word CODE
please note the fix starts with the :

:Services

:OTL
O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\Parent\Local Settings\Application Data\otf.exe" -a "%1" %*

:Reg
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
""="\"%1\" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
""="C:\Program Files\Internet Explorer\iexplore.exe"

:Commands
[createrestorepoint]
[reboot]

Then click the Run Fix button at the top

Let the program run unhindered
Please save the resulting log to be posted in your next reply.

Please post the OTL fix log.

Next

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with

OTL fix log
combofix log

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#82 Chelli

Authentic Member

Authentic Member
48 posts

Posted 12 May 2011 - 07:26 AM

Go to Control panel > add/remove programs and uninstall

ShopperReports
ShopperReports

I can't remove this program because when I go to control panel and click on "add or remove programs" I get an error that says "c:\windows\system32\rundll32.exe........... application not found"

So, I didn't go forward with the remainder of the instructions. Not sure if this must be done first. I hope this doesn't take too long to clean this up. This is my son's last month of this school year and he has major work to finish. :smack:

#83 Chelli

Authentic Member

Authentic Member
48 posts

Posted 12 May 2011 - 07:46 AM

I hope I haven't messed something up. I went to the c:/windows/system32 and found the rundll32. It is showing and not hidden. I thought it had lost it's file extension and that is why it couldn't be found so I added ".exe" to the end. It was already an ".exe" so it renamed it as "rundll32.exe.exe". I tried to fix it but each time I removed one of the ".exe's" it told me a program by that name already exists. I renamed it to "rundll32old" and it worked. I then renamed it back to "rundll32" but again it told me that a file by that name already exists. So again I renamed it back to "rundll32.exe" and it accepted it but again.. the file is now "rundll32.exe.exe". Not sure what to do at this point. I should have just exercised the 'patience' that the Lord gave me, instead of listening to my impatient flesh.

Again... Sorry.

#84 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 12 May 2011 - 05:51 PM

Hi Chelli, Don't worry about the uninstalls for now. One of your setting most likely is set to not show known extentions (by default) so rundll32 is actually rundll32.exe. Just leave it for now and continue.

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#85 Chelli

Authentic Member

Authentic Member
48 posts

Posted 13 May 2011 - 10:01 AM

Go to Control panel > add/remove programs and uninstall

ShopperReports
ShopperReports

I can't remove this program because when I go to control panel and click on "add or remove programs" I get an error that says "c:\windows\system32\rundll32.exe........... application not found"

So, I didn't go forward with the remainder of the instructions. Not sure if this must be done first. I hope this doesn't take too long to clean this up. This is my son's last month of this school year and he has major work to finish.

Not sure if you saw this message from yesterday? Do you want me to continue without these being uninstalled.

Advertisements

Register to Remove

#86 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 13 May 2011 - 06:00 PM

Hi Chelli,

Don't worry about the uninstalls for now.

Yes I saw it, go ahead.

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#87 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 21 May 2011 - 03:36 AM

Hi Chelli, Still with us? Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#88 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 25 May 2011 - 06:38 AM

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

Body Background

skin color theme