1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I think i have a virus/malware

Discussion in 'Virus & Other Malware Removal' started by kipcab, Oct 31, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    Hi - new member here, hopefully you can help :)

    We have a machine here, at work, that doesn't seem to be running quite right and believe it to have either a virus or some kind of malware. We're only a small company so don't have an IT department so hopefully you guys can help.

    Its a Dell Precision T7400 running Windows XP

    It takes about 20mins to boot up, every time we try and run safe mode it gives the blue screen with an error of 0X0000007B

    Have set McAfee to do a daily scan and in its history its picked up about 15 virus' and 38 trojans but i dont reckon it has got rid of them all.

    Please let me know what i should do/run in order to get you guys to help.
     
  2. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,930
    First Name:
    Frank
    Go here and click the green "Download latest version" link to download and save HiJackThis 2.0.4.

    After it's been downloaded and saved, close all open windows first, then double-click the saved file to install it.

    Allow it to install in its default location - C:\Program Files.

    After it's been installed, start it and then click "Do a system scan and save a log file".

    When the scan is finished in less than 30 seconds, a log file will appear.

    Save that log file.

    Return here to your thread, then copy-and-paste the entire log file here.

    -----------------------------------------------------

    Start HiJackThis, but don't run a scan.

    Click on the "Open The Misc Tools Section" button.

    Click on the "Open Uninstall Manager" button.

    Click on the "Save List" button.

    Save the "uninstall_list.txt" file somewhere.

    It'll then open in Notepad.

    Return here to your thread, then copy-and-paste the entire file here.

    -----------------------------------------------------
     
  3. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    Hi - thanks for quick response
    Here is the first log you requested


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 16:46, on 31/10/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Workspace\offSyncService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\PSIService.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
    C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Workspace\WorkspaceUpdate.exe
    C:\Program Files\Pantone\huey\hueyTray.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\IPulfer\Application Data\Dropbox\bin\Dropbox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=4080301
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\IPulfer\Local Settings\Application Data\syafqedw\bcrrbemn.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111011113333.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Starfield Updater] "C:\Program Files\Workspace\WorkspaceUpdate.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://extravision.webex.com/client/T26L/webex/ieatgpc.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.emails-industry.com/XUpload/XUpload.ocx
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://caconnect.ca.com/dana-cached/sc/JuniperSetupClient.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = industry.local
    O17 - HKLM\Software\..\Telephony: DomainName = industry.local
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Emsisoft Anti-Malware 5.1 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: File Backup Service (File Backup) - Starfield Technologies, Inc. - C:\Program Files\Workspace\offSyncService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 13330 bytes




    Here is the second log required


    2007 Microsoft Office system
    32 Bit HP CIO Components Installer
    AbleCommerce DataPort
    AbleCommerce DataPort 7.0.2
    Add or Remove Adobe Creative Suite 3 Design Premium
    Adobe AIR
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Creative Suite 3 Design Premium
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe ExtendScript Toolkit 2
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Flash CS3
    Adobe Flash Player 11 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Flash Player ActiveX
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Setup
    Adobe Setup
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe SING CS3
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server {ko_KR}
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    AHV content for Acrobat and Flash
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Broadcom ASF Management Applications
    Broadcom Management Programs
    Bulk Rename Utility 2.7.1.2
    CCleaner
    Dell ETS Factory Installation
    Dell SAS RAID Storage Manager
    EA Download Manager
    EditPlus 3
    Emsisoft Anti-Malware 5.1
    FileZilla Client 3.5.1
    Google Earth Plug-in
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    HP LaserJet P2015 Series 1.0
    HP Software Update
    huey 1.0.5
    Intel(R) Matrix Storage Manager
    InterVideo DeviceService
    iPhone Configuration Utility
    iTunes
    Java(TM) 6 Update 29
    KeePass Password Safe 2.07 Beta
    Kentico CMS 5.5 R2
    LogMeIn
    Malwarebytes' Anti-Malware version 1.51.1.1800
    McAfee SecurityCenter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Live Meeting 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Management Studio Express
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Mozilla Firefox 7.0.1 (x86 en-GB)
    MSXML 4.0 SP2 (KB936181)
    MSXML 6.0 Parser (KB933579)
    Muse (code name)
    Muse (code name)
    NVIDIA Drivers
    ParetoLogic PC Health Advisor
    PDF Settings
    phpDesigner version 6.2.5.2
    Picasa 3
    PowerDVD
    QuickTime
    RealPlayer
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Roxio Update Manager
    Security Update for Excel 2007 (KB946974)
    Security Update for Microsoft Office Publisher 2007 (KB950114)
    Security Update for Microsoft Office system 2007 (KB951808)
    Security Update for Microsoft Office Word 2007 (KB950113)
    Security Update for Office 2007 (KB934062)
    Security Update for Office 2007 (KB947801)
    Security Update for Outlook 2007 (KB946983)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for the 2007 Microsoft Office System (KB936960)
    Security Update for Visio 2007 (KB947590)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    SmartSound Quicktracks Plugin
    Sonic Activation Module
    SoundMAX
    Spotify
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    System Requirements Lab
    Unity Web Player
    Update for Office 2007 (KB932080)
    Update for Office 2007 (KB946691)
    Update for Outlook 2007 Junk Email Filter (kb950378)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896256)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB932823-v3)
    WebEx
    Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Encoder 9 Series
    Windows Media Encoder 9 Series
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    WinRAR archiver
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    Why are you still on SP2, when it should be on SP3

    follow advice here and post the logs those programs make
     
  5. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    No idea - its never automatically updated...will try and get SP3

    Will do - thanks
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    Don't update until we have cleaned up the malware first
     
  7. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    Noted

    Will run through the step-by-step guide and let you know

    Thanks
     
  8. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,930
    First Name:
    Frank
    Follow dvk01's instructions from here on.

    --------------------------------------------------------
     
  9. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    Hi - here are the logs (have to load separately as for some reason it wont allow me to post all in one reply)

    Thanks for looking at this for us.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 16:46, on 31/10/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Workspace\offSyncService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\PSIService.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
    C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Workspace\WorkspaceUpdate.exe
    C:\Program Files\Pantone\huey\hueyTray.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\IPulfer\Application Data\Dropbox\bin\Dropbox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=4080301
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\IPulfer\Local Settings\Application Data\syafqedw\bcrrbemn.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111011113333.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Starfield Updater] "C:\Program Files\Workspace\WorkspaceUpdate.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://extravision.webex.com/client/T26L/webex/ieatgpc.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.emails-industry.com/XUpload/XUpload.ocx
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://caconnect.ca.com/dana-cached/sc/JuniperSetupClient.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = industry.local
    O17 - HKLM\Software\..\Telephony: DomainName = industry.local
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Emsisoft Anti-Malware 5.1 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: File Backup Service (File Backup) - Starfield Technologies, Inc. - C:\Program Files\Workspace\offSyncService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 13330 bytes
     
  10. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
    Run by ipulfer at 17:03:30 on 2011-10-31
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2143 [GMT 0:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Workspace\offSyncService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\PSIService.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
    C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
    C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Workspace\WorkspaceUpdate.exe
    C:\Program Files\Pantone\huey\hueyTray.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\IPulfer\Application Data\Dropbox\bin\Dropbox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    uSearch Bar =
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\ipulfer\local settings\application data\syafqedw\bcrrbemn.exe,
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111011113333.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [Starfield Updater] "c:\program files\workspace\WorkspaceUpdate.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\ipulfer\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [Popup] "c:\program files\dell sas raid storage manager\megapopup\Popup.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hueytray.lnk - c:\program files\pantone\huey\hueyTray.exe
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://extravision.webex.com/client/T26L/webex/ieatgpc.cab
    DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.emails-industry.com/XUpload/XUpload.ocx
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://caconnect.ca.com/dana-cached/sc/JuniperSetupClient.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{BFA56FC5-D58C-4FF1-99F4-DA72D9D0CAE6} : DhcpNameServer = 192.168.1.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: LMIinit - LMIinit.dll
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\ipulfer\application data\mozilla\firefox\profiles\4ydi3o4u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.getreading.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\ipulfer\application data\electronic arts\game face\npGameFacePlugin.dll
    FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npoff.dll
    FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npoff.dll
    FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npwbe.dll
    FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npwbe.dll
    FF - plugin: c:\documents and settings\ipulfer\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 461864]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-12 89624]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-7-29 3029208]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
    R2 File Backup;File Backup Service;c:\program files\workspace\offSyncService.exe [2010-7-16 1185008]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-1 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-28 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-9-4 47640]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
    R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-12 166024]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-12 160344]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-12 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-12 57432]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-12 180072]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-12 59288]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-12 338040]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-12 83688]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-29 136176]
    S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
    S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-7-29 73728]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-29 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-25 41272]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-12 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-12 87808]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2011-10-31 16:43:23 388096 ----a-r- c:\documents and settings\ipulfer\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-10-31 16:43:19 -------- d-----w- c:\program files\Trend Micro
    .
    ==================== Find3M ====================
    .
    2011-10-17 08:47:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-11 11:22:35 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-10-11 11:22:35 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2011-10-11 11:22:33 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-10-11 11:22:33 30592 ----a-w- c:\windows\system32\LMIport.dll
    2011-10-03 05:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 02:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-08-15 09:00:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-08-15 09:00:06 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-08-15 09:00:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-08-15 09:00:06 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-08-15 09:00:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-08-15 09:00:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-08-15 09:00:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-08-15 09:00:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-08-15 09:00:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-08-15 09:00:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    .
    ============= FINISH: 17:07:55.16 ===============
     
  11. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-02 09:34:53
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\SYMMPI1Port1Path0Target0Lun0 ATA_____ rev.G___
    Running: fp50ondh.exe; Driver: C:\DOCUME~1\IPulfer\LOCALS~1\Temp\pxtdrpow.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DB1290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DB12A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DB12D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DB1326]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DB127C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DB1254]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DB1268]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DB12BA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DB12FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DB12E6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DB1350]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DB133C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DB1310]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 805040F8 7 Bytes JMP B9DB1314 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0BC4 7 Bytes JMP B9DB132A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B19D2 5 Bytes JMP B9DB1340 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetSecurityObject 805BEAF0 5 Bytes JMP B9DB1300 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805C9EBA 5 Bytes JMP B9DB1258 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805CA146 5 Bytes JMP B9DB126C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805D13E4 5 Bytes JMP B9DB1354 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 80620992 7 Bytes JMP B9DB12EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80621CF8 7 Bytes JMP B9DB12BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 806222D2 5 Bytes JMP B9DB1294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 80622762 7 Bytes JMP B9DB12A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622932 7 Bytes JMP B9DB12D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 80623668 5 Bytes JMP B9DB1280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8CA1360, 0x3475F7, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[500] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 008B0000
    .text C:\WINDOWS\system32\svchost.exe[500] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 008B0FE5
    .text C:\WINDOWS\system32\svchost.exe[500] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008B001B
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008A0FE5
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008A0F86
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008A007B
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008A0054
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008A0F97
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008A0FC3
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008A0F58
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008A00A0
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008A00CC
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008A00B1
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008A00E7
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008A0FB2
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008A000A
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008A0F75
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008A0FD4
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008A0025
    .text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008A0F33
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00890014
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00890039
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00890FC3
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00890FD4
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00890F7C
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00890F97
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00890FEF
    .text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00890FB2
    .text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00880F9F
    .text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00880FB0
    .text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00880FC1
    .text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00880FEF
    .text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00880020
    .text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00880FDE
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 01590FEF
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 0159000A
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 01590FDE
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01580FEF
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01580F69
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01580F7A
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01580054
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01580039
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01580FA8
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 015800A7
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01580096
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 015800E4
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 015800D3
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01580F30
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01580F97
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0158000A
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01580079
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01580FC3
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01580FDE
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 015800C2
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015B002F
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 015B0FA4
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015B0FC6
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015B0000
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015B0FB5
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015B0FD7
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01570036
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01570F8A
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0157001B
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0157000A
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01570051
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01570FAF
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01570FEF
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01570FC0
    .text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 015A0FEF
    .text C:\WINDOWS\system32\dllhost.exe[972] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00090000
    .text C:\WINDOWS\system32\dllhost.exe[972] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00090025
    .text C:\WINDOWS\system32\dllhost.exe[972] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00090FE5
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0FA8
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B009D
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0082
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0FB9
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0040
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00C2
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F70
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F3D
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0F4E
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B00E7
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B005B
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B000A
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F97
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0025
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FD4
    .text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0F5F
    .text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0029005A
    .text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FCF
    .text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290038
    .text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0029000C
    .text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290049
    .text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029001D
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A002F
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0065
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A0FDE
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0014
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0F9E
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0040
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0FEF
    .text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0FC3
    .text C:\WINDOWS\system32\dllhost.exe[972] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007A000A
    .text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A3000A
    .text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A30025
    .text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A30FEF
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A10000
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A10090
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A10F9B
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A10075
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A10058
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A10FC7
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A100B7
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A10F6F
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A10F43
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A10F5E
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A100F7
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A10FB6
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A10011
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A10F80
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A10033
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A10022
    .text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A100DC
    .text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF004C
    .text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB7
    .text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD2
    .text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C
    .text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0027
    .text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FE3
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 012E0FC0
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 012E0F83
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 012E0FD1
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 012E0011
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 012E0F9E
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 012E0FAF
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 012E0000
    .text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 012E002C
    .text C:\WINDOWS\system32\services.exe[1108] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40FEF
    .text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00E10FEF
    .text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00E10FD4
    .text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00E1000A
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E00FEF
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E00F7E
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E0007D
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E0006C
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E00FAF
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E0004A
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E00F59
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E0009F
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E000E1
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E000C6
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E000F2
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E0005B
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E0000A
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E0008E
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E00FD4
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E00025
    .text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E00F48
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E50FCA
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E50F79
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E5001B
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E50FEF
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E50F8A
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E50FA5
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E5000A
    .text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E50036
    .text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FAD
    .text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30038
    .text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E3000C
    .text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
    .text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3001D
    .text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FDE
    .text C:\WINDOWS\system32\lsass.exe[1120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E20000
    .text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00090FE5
    .text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00090FAF
    .text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00090FD4
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F86
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0071
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0054
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0039
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FA8
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F55
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B00A7
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00C9
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00B8
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B00DA
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0F97
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FDE
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0096
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0014
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FCD
    .text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0F3A
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290051
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290FAF
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0029002C
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0029001B
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00290FCA
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0029006C
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0029000A
    .text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00290FE5
    .text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0042
    .text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB7
    .text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001D
    .text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
    .text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC8
    .text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
    .text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 002C0FEF
    .text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 002C0FD4
    .text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 002C0000
    .text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 002C0011
    .text C:\WINDOWS\Explorer.EXE[1272] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DF0000
    .text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00850FEF
    .text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 0085001B
    .text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0085000A
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00840FE5
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00840F48
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0084003D
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0084002C
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0084001B
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00840F9E
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00840075
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00840064
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00840086
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00840EED
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008400A1
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00840F79
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00840000
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00840F37
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00840FB9
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00840FCA
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00840F08
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0088000A
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00880F83
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00880FAF
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00880FCA
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00880040
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00880F9E
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00880FEF
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0088001B
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870F97
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00870FA8
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00870011
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870000
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870022
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00870FE3
    .text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00860FE5
    .text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A00000
    .text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A00FCA
    .text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A00FE5
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009F0FEF
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009F006F
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009F0054
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009F0F70
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009F0039
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009F0FAB
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009F0F55
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009F00A7
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F0F18
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F0F29
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009F00C2
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009F0028
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009F0FDE
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009F0080
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009F0FBC
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009F0FCD
    .text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009F0F3A
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A30FB2
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A3004A
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A30FC3
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A30FD4
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A30F8D
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A3002F
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A30FE5
    .text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A3001E
    .text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FC8
    .text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20053
    .text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20027
    .text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000
    .text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20038
    .text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20FE3
    .text C:\WINDOWS\system32\svchost.exe[1448] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A1000A
    .text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 025A0FE5
    .text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 025A0000
    .text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 025A0FCA
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02590FE5
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02590F15
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02590014
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02590F46
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02590F57
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02590F8D
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02590042
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02590025
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02590EBD
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02590ECE
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02590071
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02590F7C
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02590FD4
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02590EFA
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02590FA8
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02590FB9
    .text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02590EE9
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02720FDB
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02720F9E
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0272002C
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02720011
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02720FB9
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02720051
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02720000
    .text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02720FCA
    .text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02700025
    .text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!system 77C293C7 5 Bytes JMP 0270000A
    .text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02700FB5
    .text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02700FEF
    .text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02700FA4
    .text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02700FC6
    .text C:\WINDOWS\System32\svchost.exe[1572] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 026F0000
    .text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 026E0FE5
    .text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 026E0FCA
    .text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 026E0000
    .text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 026E0FAF
    .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00FF000A
    .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00FF001B
    .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FD000A
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FD0F68
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FD0F8D
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FD0F9E
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FD005B
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FD0FCA
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FD0F41
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FD0093
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FD0F15
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FD0F26
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FD0EFA
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FD0FB9
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FD001B
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FD0078
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FD0036
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FD0FEF
    .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FD00A4
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01030FBC
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01030F7F
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01030FCD
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01030FDE
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01030F90
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01030FA1
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01030FEF
    .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01030028
    .text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01020FC3
    .text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FDE
    .text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01020FEF
    .text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01020000
    .text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0102004E
    .text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01020029
    .text C:\WINDOWS\system32\svchost.exe[1732] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01010FEF
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 483B0000
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 483B0036
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 483B0025
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 483A0FEF
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 483A0F33
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 483A0F44
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 483A0F61
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 483A0F72
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 483A0014
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 483A0085
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 483A005E
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 483A00A0
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 483A0EFD
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 483A0EEC
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 483A0F8D
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 483A0FD4
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 483A0043
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 483A0FA8
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 483A0FC3
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 483A0F22
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 48380053
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!system 77C293C7 5 Bytes JMP 48380042
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 48380016
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 48380FEF
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 48380027
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 48380FDE
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 4839002C
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 4839005B
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 48390FDB
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 48390011
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 48390F9E
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 48390FAF
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 48390000
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 48390FC0
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] WS2_32.dll!socket 71AB3B91 3 Bytes JMP 48370000
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] WS2_32.dll!socket + 4 71AB3B95 1 Byte [D6]
    .text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A80FEF
    .text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A80FC3
    .text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A80FD4
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A70FEF
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A70058
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A70F6D
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A70F7E
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A70047
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A70025
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A70F3E
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A70090
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A700BC
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A700AB
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A700D7
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A70036
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A70FD4
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A70073
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A70FC3
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A70014
    .text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A70F2D
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00AC0FC3
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00AC0F72
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00AC0FD4
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00AC0000
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00AC002F
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00AC0F97
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00AC0FEF
    .text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00AC0FA8
    .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0039
    .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0FA4
    .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FC6
    .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0000
    .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB0FB5
    .text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB0FE3
    .text C:\WINDOWS\system32\svchost.exe[1820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AA0FEF
    .text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00A90000
    .text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00A90FE5
    .text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00A90FD4
    .text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00A90FC3
    .text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 0070000A
    .text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00700025
    .text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00700FEF
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006F0FEF
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006F006F
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006F0F7A
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006F0F97
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006F0054
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006F0FC3
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006F0F33
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006F0F4E
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006F0F00
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006F0F11
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 006F0EEF
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 006F0FB2
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 006F000A
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 006F0F5F
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 006F0FD4
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 006F001B
    .text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006F0F22
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E0025
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E0076
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0014
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FDE
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E0FB9
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E005B
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FEF
    .text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0040
    .text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0F9C
    .text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0FB7
    .text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0027
    .text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0000
    .text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FD2
    .text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0FEF
    .text C:\WINDOWS\System32\svchost.exe[1876] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006C0FEF
    .text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00700000
    .text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00700022
    .text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00700011
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006F0000
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006F00A8
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006F0097
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006F007A
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006F0069
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006F0047
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006F00D9
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006F0F87
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006F00FB
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006F00EA
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 006F010C
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 006F0058
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 006F0FE5
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 006F0F98
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 006F002C
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 006F001B
    .text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006F0F76
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E001B
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E004E
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0000
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FCA
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E003D
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E002C
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FE5
    .text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0FAF
    .text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D005F
    .text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0044
    .text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FE5
    .text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D000C
    .text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FD4
    .text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D001D
    .text C:\WINDOWS\System32\svchost.exe[1924] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006C0FEF

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \FileSystem\Fastfat \Fat B16EFC8A
    Device \FileSystem\Fastfat \Fat B17074F4

    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\[email protected] ???Q????? ??????????????????????????????????&???????????????????????????????? ????????????????????????????(?????????????? ??????????????????????????????????????????????? ??????????????????????????????????????????????????????? ????????????????????????????N??????????s??????????? ????????????????????????????"?d??? ???????????????????????????????????????OEM????????????????????t??????????????????????e?????Ascii???? ??????????????s?????????????????d?????????2???C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\ACEWSS.DLL???? ???????????????????????? ?????????????????????????????????? ????????????????????????????"?>??????S?????????????????k?????????????????????????????????????g?????????????????????e??????????????????????????????SharePoint????????????????????????????????????????????????????????s???????>?????????????????Windows SharePoint Services ()????????????????????????????>?????????????????Windows SharePoint Services ()??????? ???????????????????~???????? ????? ???????????????????????r???? ?????????????????????????????????

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    OK I can see a few problems there

    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Here or Hereto your Desktop.
    As you download it rename it to username123.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on renamed combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues
     
  13. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    Thanks again for quick response

    Below is the log from the combofix file


    ComboFix 11-11-02.01 - ipulfer 02/11/2011 13:24:04.1.4 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2172 [GMT 0:00]
    Running from: c:\documents and settings\IPulfer\Desktop\username123.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
    c:\documents and settings\IPulfer\Application Data\Adobe\plugs
    c:\documents and settings\IPulfer\Application Data\Adobe\shed
    c:\documents and settings\IPulfer\Application Data\Ibci
    c:\documents and settings\IPulfer\Application Data\Ibci\upfiw.tmp
    c:\documents and settings\IPulfer\g2mdlhlpx.exe
    c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}
    c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\chrome.manifest
    c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\chrome\content\_cfg.js
    c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\chrome\content\overlay.xul
    c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\install.rdf
    C:\Install.exe
    c:\windows\Fonts\smaller.ttf
    c:\windows\help\tours\htmltour\unlock_playing.htm
    c:\windows\system32\Cache
    c:\windows\system32\d3d9caps.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-31 16:43 . 2011-10-31 16:43 388096 ----a-r- c:\documents and settings\IPulfer\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-10-31 16:43 . 2011-10-31 16:43 -------- d-----w- c:\program files\Trend Micro
    2011-10-31 15:09 . 2011-10-31 15:09 -------- d-----w- c:\program files\Common Files\Java
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-17 08:47 . 2011-05-20 10:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-11 11:22 . 2008-09-04 12:41 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2011-10-11 11:22 . 2008-09-04 12:41 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-10-11 11:22 . 2008-09-04 12:41 30592 ----a-w- c:\windows\system32\LMIport.dll
    2011-10-11 11:22 . 2008-09-04 12:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-10-03 05:06 . 2010-07-12 10:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 02:37 . 2009-04-20 10:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-08-15 09:00 . 2010-07-12 10:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-08-15 09:00 . 2010-07-12 10:38 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-08-15 09:00 . 2010-07-12 10:38 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-08-15 09:00 . 2010-07-12 10:38 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-08-15 09:00 . 2010-07-12 10:38 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-08-15 09:00 . 2010-07-12 10:38 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-08-15 09:00 . 2010-07-12 10:38 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-08-15 09:00 . 2010-07-12 10:38 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-08-15 09:00 . 2010-05-31 19:32 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-08-15 09:00 . 2010-05-31 19:32 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-01-12 14:01 . 2008-09-03 15:52 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-01-12 14:01 . 2008-09-03 15:52 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-01-12 14:01 . 2008-09-26 09:13 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2008-09-26 09:13 . 2008-09-26 09:13 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2011-10-04 08:39 . 2011-10-04 08:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 13:01 . 2010-07-12 10:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Starfield Updater"="c:\program files\Workspace\WorkspaceUpdate.exe" [2011-09-01 34496]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2007-07-20 77922]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hueyTray.lnk - c:\program files\Pantone\huey\hueyTray.exe [2008-6-2 901120]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-10-11 11:22 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
    2009-07-27 08:27 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2006-08-17 09:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
    2006-06-15 07:43 49152 ----a-w- c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "stllssvr"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdatem"=3 (0x3)
    "gupdate"=2 (0x2)
    "Adobe Version Cue CS3"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Documents and Settings\\IPulfer\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/07/2010 10:38 89624]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2009 11:43 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [29/07/2011 10:08 3029208]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [20/06/2007 14:30 79168]
    R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [16/07/2010 12:47 1185008]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [01/10/2010 08:48 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 14:31 12856]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/07/2010 10:39 160344]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [12/07/2010 10:38 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/07/2010 10:38 57432]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/07/2010 10:38 338040]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
    S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [29/07/2011 10:08 73728]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [25/02/2009 16:33 41272]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/07/2010 10:38 87808]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    *Deregistered* - pxtdrpow
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
    .
    2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
    .
    2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
    .
    2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156Core.job
    - c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
    .
    2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156UA.job
    - c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
    .
    2011-11-01 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\IPulfer\Application Data\Mozilla\Firefox\Profiles\4ydi3o4u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.getreading.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    MSConfigStartUp-UVS11 Preload - c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-02 13:50
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1064)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2011-11-02 14:00:23
    ComboFix-quarantined-files.txt 2011-11-02 14:00
    ComboFix2.txt 2009-03-06 09:50
    .
    Pre-Run: 185,885,569,024 bytes free
    Post-Run: 185,976,750,080 bytes free
    .
    - - End Of File - - 17493EAE1B773C78106E2309EFEE8EE7
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    Before we do the next step, it is very likely that the files I am setting combofix to submit for examination have already been deleted by your antivirus so won't exist.
    If CF doesn't make a zip file, then don't worry about it, =just post the new report it makes

    Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
    Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
    Close any open browsers
    Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply


    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

    This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

    or to
    http://www.bleepingcomputer.com/submit-malware.php?channel=38
     

    Attached Files:

  15. kipcab

    kipcab Thread Starter

    Joined:
    Oct 31, 2011
    Messages:
    11
    There wasn't any zip file(s) created - below is the log report, as requested


    ComboFix 11-11-02.01 - ipulfer 02/11/2011 15:10:38.2.4 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2121 [GMT 0:00]
    Running from: c:\documents and settings\IPulfer\Desktop\username123.exe
    Command switches used :: c:\documents and settings\IPulfer\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-31 16:43 . 2011-10-31 16:43 388096 ----a-r- c:\documents and settings\IPulfer\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-10-31 16:43 . 2011-10-31 16:43 -------- d-----w- c:\program files\Trend Micro
    2011-10-31 15:09 . 2011-10-31 15:09 -------- d-----w- c:\program files\Common Files\Java
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-17 08:47 . 2011-05-20 10:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-11 11:22 . 2008-09-04 12:41 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2011-10-11 11:22 . 2008-09-04 12:41 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-10-11 11:22 . 2008-09-04 12:41 30592 ----a-w- c:\windows\system32\LMIport.dll
    2011-10-11 11:22 . 2008-09-04 12:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-10-03 05:06 . 2010-07-12 10:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 02:37 . 2009-04-20 10:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-08-15 09:00 . 2010-07-12 10:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-08-15 09:00 . 2010-07-12 10:38 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-08-15 09:00 . 2010-07-12 10:38 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-08-15 09:00 . 2010-07-12 10:38 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-08-15 09:00 . 2010-07-12 10:38 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-08-15 09:00 . 2010-07-12 10:38 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-08-15 09:00 . 2010-07-12 10:38 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-08-15 09:00 . 2010-07-12 10:38 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-08-15 09:00 . 2010-05-31 19:32 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-08-15 09:00 . 2010-05-31 19:32 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-01-12 14:01 . 2008-09-03 15:52 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-01-12 14:01 . 2008-09-03 15:52 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-01-12 14:01 . 2008-09-26 09:13 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2008-09-26 09:13 . 2008-09-26 09:13 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2011-10-04 08:39 . 2011-10-04 08:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 13:01 . 2010-07-12 10:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\documents and settings\IPulfer\Local Settings\Application Data\syafqedw ----
    .
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_13.50.34 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-11-02 15:36 . 2011-11-02 15:36 16384 c:\windows\TEMP\Perflib_Perfdata_380.dat
    + 2011-11-02 13:55 . 2011-11-02 14:10 1972 c:\windows\SoftwareDistribution\EventCache\{6B08D11F-2AAB-4FB4-B820-2B0CE2A4640D}.bin
    + 2011-11-02 15:38 . 2011-11-02 15:38 1936 c:\windows\SoftwareDistribution\EventCache\{46BB0F6B-67A9-4005-BB37-2DB508C4D4E6}.bin
    + 2011-01-26 12:21 . 2011-11-02 15:40 233777 c:\windows\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Starfield Updater"="c:\program files\Workspace\WorkspaceUpdate.exe" [2011-09-01 34496]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2007-07-20 77922]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hueyTray.lnk - c:\program files\Pantone\huey\hueyTray.exe [2008-6-2 901120]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-10-11 11:22 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
    2009-07-27 08:27 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2006-08-17 09:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
    2006-06-15 07:43 49152 ----a-w- c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "stllssvr"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdatem"=3 (0x3)
    "gupdate"=2 (0x2)
    "Adobe Version Cue CS3"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Documents and Settings\\IPulfer\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/07/2010 10:38 89624]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2009 11:43 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [29/07/2011 10:08 3029208]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [20/06/2007 14:30 79168]
    R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [16/07/2010 12:47 1185008]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [01/10/2010 08:48 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 14:31 12856]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/07/2010 10:39 160344]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [12/07/2010 10:38 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/07/2010 10:38 57432]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/07/2010 10:38 338040]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
    S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [29/07/2011 10:08 73728]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [25/02/2009 16:33 41272]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/07/2010 10:38 87808]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
    .
    2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
    .
    2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
    .
    2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156Core.job
    - c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
    .
    2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156UA.job
    - c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
    .
    2011-11-01 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: mcafee.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\IPulfer\Application Data\Mozilla\Firefox\Profiles\4ydi3o4u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.getreading.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-02 15:50
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1068)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'explorer.exe'(3800)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\system32\LMIRfsClientNP.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\windows\system32\inetsrv\inetinfo.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\PSIService.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\UAService7.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
    c:\program files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
    c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
    c:\windows\system32\rundll32.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-02 15:55:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-02 15:55
    ComboFix2.txt 2011-11-02 14:00
    ComboFix3.txt 2009-03-06 09:50
    .
    Pre-Run: 185,967,869,952 bytes free
    Post-Run: 185,950,892,032 bytes free
    .
    - - End Of File - - C6F0E47D4B47F6995FEDA33EAD157E30
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1024836

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice