I think i have a virus/malware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
Hi - new member here, hopefully you can help :)

We have a machine here, at work, that doesn't seem to be running quite right and believe it to have either a virus or some kind of malware. We're only a small company so don't have an IT department so hopefully you guys can help.

Its a Dell Precision T7400 running Windows XP

It takes about 20mins to boot up, every time we try and run safe mode it gives the blue screen with an error of 0X0000007B

Have set McAfee to do a daily scan and in its history its picked up about 15 virus' and 38 trojans but i dont reckon it has got rid of them all.

Please let me know what i should do/run in order to get you guys to help.
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,252
Go here and click the green "Download latest version" link to download and save HiJackThis 2.0.4.

After it's been downloaded and saved, close all open windows first, then double-click the saved file to install it.

Allow it to install in its default location - C:\Program Files.

After it's been installed, start it and then click "Do a system scan and save a log file".

When the scan is finished in less than 30 seconds, a log file will appear.

Save that log file.

Return here to your thread, then copy-and-paste the entire log file here.

-----------------------------------------------------

Start HiJackThis, but don't run a scan.

Click on the "Open The Misc Tools Section" button.

Click on the "Open Uninstall Manager" button.

Click on the "Save List" button.

Save the "uninstall_list.txt" file somewhere.

It'll then open in Notepad.

Return here to your thread, then copy-and-paste the entire file here.

-----------------------------------------------------
 

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
Hi - thanks for quick response
Here is the first log you requested


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:46, on 31/10/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Workspace\offSyncService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Workspace\WorkspaceUpdate.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\IPulfer\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=4080301
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\IPulfer\Local Settings\Application Data\syafqedw\bcrrbemn.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111011113333.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Starfield Updater] "C:\Program Files\Workspace\WorkspaceUpdate.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://extravision.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.emails-industry.com/XUpload/XUpload.ocx
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://caconnect.ca.com/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = industry.local
O17 - HKLM\Software\..\Telephony: DomainName = industry.local
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.1 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: File Backup Service (File Backup) - Starfield Technologies, Inc. - C:\Program Files\Workspace\offSyncService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 13330 bytes




Here is the second log required


2007 Microsoft Office system
32 Bit HP CIO Components Installer
AbleCommerce DataPort
AbleCommerce DataPort 7.0.2
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 11 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11.5
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom ASF Management Applications
Broadcom Management Programs
Bulk Rename Utility 2.7.1.2
CCleaner
Dell ETS Factory Installation
Dell SAS RAID Storage Manager
EA Download Manager
EditPlus 3
Emsisoft Anti-Malware 5.1
FileZilla Client 3.5.1
Google Earth Plug-in
Google Update Helper
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP LaserJet P2015 Series 1.0
HP Software Update
huey 1.0.5
Intel(R) Matrix Storage Manager
InterVideo DeviceService
iPhone Configuration Utility
iTunes
Java(TM) 6 Update 29
KeePass Password Safe 2.07 Beta
Kentico CMS 5.5 R2
LogMeIn
Malwarebytes' Anti-Malware version 1.51.1.1800
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox 7.0.1 (x86 en-GB)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Muse (code name)
Muse (code name)
NVIDIA Drivers
ParetoLogic PC Health Advisor
PDF Settings
phpDesigner version 6.2.5.2
Picasa 3
PowerDVD
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
SmartSound Quicktracks Plugin
Sonic Activation Module
SoundMAX
Spotify
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
Unity Web Player
Update for Office 2007 (KB932080)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb950378)
Update for Windows XP (KB894391)
Update for Windows XP (KB896256)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
WebEx
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Why are you still on SP2, when it should be on SP3

follow advice here and post the logs those programs make
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Don't update until we have cleaned up the malware first
 

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
Noted

Will run through the step-by-step guide and let you know

Thanks
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,252
Follow dvk01's instructions from here on.

--------------------------------------------------------
 

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
Hi - here are the logs (have to load separately as for some reason it wont allow me to post all in one reply)

Thanks for looking at this for us.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:46, on 31/10/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Workspace\offSyncService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Workspace\WorkspaceUpdate.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\IPulfer\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=4080301
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\IPulfer\Local Settings\Application Data\syafqedw\bcrrbemn.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111011113333.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Starfield Updater] "C:\Program Files\Workspace\WorkspaceUpdate.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://extravision.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.emails-industry.com/XUpload/XUpload.ocx
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://caconnect.ca.com/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = industry.local
O17 - HKLM\Software\..\Telephony: DomainName = industry.local
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.1 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: File Backup Service (File Backup) - Starfield Technologies, Inc. - C:\Program Files\Workspace\offSyncService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 13330 bytes
 

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by ipulfer at 17:03:30 on 2011-10-31
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2143 [GMT 0:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Workspace\offSyncService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Workspace\WorkspaceUpdate.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\IPulfer\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar =
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\ipulfer\local settings\application data\syafqedw\bcrrbemn.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111011113333.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Starfield Updater] "c:\program files\workspace\WorkspaceUpdate.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ipulfer\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Popup] "c:\program files\dell sas raid storage manager\megapopup\Popup.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hueytray.lnk - c:\program files\pantone\huey\hueyTray.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://extravision.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.emails-industry.com/XUpload/XUpload.ocx
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://caconnect.ca.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BFA56FC5-D58C-4FF1-99F4-DA72D9D0CAE6} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ipulfer\application data\mozilla\firefox\profiles\4ydi3o4u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.getreading.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\ipulfer\application data\electronic arts\game face\npGameFacePlugin.dll
FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\ipulfer\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\ipulfer\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 461864]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-12 89624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-7-29 3029208]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 File Backup;File Backup Service;c:\program files\workspace\offSyncService.exe [2010-7-16 1185008]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-1 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-9-4 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-12 166024]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-12 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-12 148520]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-12 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-12 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-12 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-12 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-12 83688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-29 136176]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-12 214904]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-7-29 73728]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-29 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-25 41272]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-12 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-12 87808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-10-31 16:43:23 388096 ----a-r- c:\documents and settings\ipulfer\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-31 16:43:19 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-10-17 08:47:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-11 11:22:35 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-11 11:22:35 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-11 11:22:33 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-11 11:22:33 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-03 05:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-15 09:00:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 09:00:06 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-08-15 09:00:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 09:00:06 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-08-15 09:00:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 09:00:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 09:00:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 09:00:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 09:00:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 09:00:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
============= FINISH: 17:07:55.16 ===============
 

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-02 09:34:53
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\SYMMPI1Port1Path0Target0Lun0 ATA_____ rev.G___
Running: fp50ondh.exe; Driver: C:\DOCUME~1\IPulfer\LOCALS~1\Temp\pxtdrpow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DB1290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DB12A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DB12D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DB1326]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DB127C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DB1254]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DB1268]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DB12BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DB12FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DB12E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DB1350]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DB133C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DB1310]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 805040F8 7 Bytes JMP B9DB1314 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0BC4 7 Bytes JMP B9DB132A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B19D2 5 Bytes JMP B9DB1340 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805BEAF0 5 Bytes JMP B9DB1300 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C9EBA 5 Bytes JMP B9DB1258 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CA146 5 Bytes JMP B9DB126C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D13E4 5 Bytes JMP B9DB1354 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620992 7 Bytes JMP B9DB12EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621CF8 7 Bytes JMP B9DB12BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806222D2 5 Bytes JMP B9DB1294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622762 7 Bytes JMP B9DB12A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622932 7 Bytes JMP B9DB12D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623668 5 Bytes JMP B9DB1280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8CA1360, 0x3475F7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[500] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[500] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 008B0FE5
.text C:\WINDOWS\system32\svchost.exe[500] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008A0FE5
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008A0F86
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008A007B
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008A0054
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008A0F97
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008A0FC3
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008A0F58
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008A00A0
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008A00CC
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008A00B1
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008A00E7
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008A0FB2
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008A0F75
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008A0025
.text C:\WINDOWS\system32\svchost.exe[500] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008A0F33
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00890014
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00890039
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00890FC3
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00890FD4
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00890F7C
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00890F97
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[500] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00890FB2
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00880F9F
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00880FB0
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00880FC1
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00880FEF
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00880020
.text C:\WINDOWS\system32\svchost.exe[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00880FDE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 01590FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 0159000A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 01590FDE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01580FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01580F69
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01580F7A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01580054
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01580039
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01580FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 015800A7
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01580096
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 015800E4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 015800D3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01580F30
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01580F97
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0158000A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01580079
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01580FC3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01580FDE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 015800C2
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015B002F
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 015B0FA4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015B0FC6
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015B0000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015B0FB5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015B0FD7
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01570036
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01570F8A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0157001B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0157000A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01570051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01570FAF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01570FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01570FC0
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[888] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 015A0FEF
.text C:\WINDOWS\system32\dllhost.exe[972] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\dllhost.exe[972] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00090025
.text C:\WINDOWS\system32\dllhost.exe[972] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B009D
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0082
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00C2
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F70
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F3D
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0F4E
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B00E7
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F97
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\dllhost.exe[972] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0F5F
.text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0029005A
.text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FCF
.text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290038
.text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290049
.text C:\WINDOWS\system32\dllhost.exe[972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029001D
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A002F
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0065
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0014
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0040
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\system32\dllhost.exe[972] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A10090
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A10F9B
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A10075
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A10058
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A10FC7
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A100B7
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A10F6F
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A10F43
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A10F5E
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A100F7
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A10FB6
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A10F80
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A10033
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A10022
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A100DC
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF004C
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0027
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 012E0FC0
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 012E0F83
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 012E0FD1
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 012E0011
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 012E0F9E
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 012E0FAF
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 012E0000
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 012E002C
.text C:\WINDOWS\system32\services.exe[1108] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00E10FD4
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E00F7E
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E0007D
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E0006C
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E00FAF
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E0004A
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E00F59
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E0009F
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E000E1
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E000C6
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E000F2
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E0005B
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E0008E
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E00FD4
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E00025
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E00F48
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E50FCA
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E50F79
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E50F8A
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E50FA5
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E5000A
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E50036
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FAD
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30038
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E3000C
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3001D
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\system32\lsass.exe[1120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E20000
.text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00090FE5
.text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00090FAF
.text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00090FD4
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F86
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0071
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0054
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0039
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F55
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B00A7
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00C9
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00B8
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B00DA
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0F97
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0096
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0014
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FCD
.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0F3A
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290051
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290FAF
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0029002C
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00290FCA
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0029006C
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[1272] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0042
.text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB7
.text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001D
.text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC8
.text C:\WINDOWS\Explorer.EXE[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[1272] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 002C0011
.text C:\WINDOWS\Explorer.EXE[1272] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 0085001B
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00840FE5
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00840F48
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0084003D
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0084002C
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0084001B
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00840F9E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00840075
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00840064
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00840086
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00840EED
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008400A1
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00840F79
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00840000
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00840F37
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00840FB9
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00840FCA
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00840F08
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00880F83
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00880FAF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00880FCA
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00880040
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00880F9E
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00880FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0088001B
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870F97
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00870FA8
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00870011
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870000
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870022
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00870FE3
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00860FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009F006F
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009F0054
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009F0F70
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009F0039
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009F0FAB
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009F0F55
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009F00A7
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F0F18
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F0F29
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009F00C2
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009F0028
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009F0080
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009F0FBC
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009F0FCD
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009F0F3A
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A30FB2
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A3004A
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A30FC3
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A30F8D
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A3002F
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A30FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A3001E
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FC8
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20053
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20027
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20038
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20FE3
.text C:\WINDOWS\system32\svchost.exe[1448] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A1000A
.text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 025A0FE5
.text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 025A0000
.text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 025A0FCA
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02590FE5
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02590F15
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02590014
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02590F46
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02590F57
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02590F8D
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02590042
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02590025
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02590EBD
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02590ECE
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02590071
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02590F7C
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02590FD4
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02590EFA
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02590FA8
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02590FB9
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02590EE9
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02720FDB
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02720F9E
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0272002C
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02720011
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02720FB9
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02720051
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02720000
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02720FCA
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02700025
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!system 77C293C7 5 Bytes JMP 0270000A
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02700FB5
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02700FEF
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02700FA4
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02700FC6
.text C:\WINDOWS\System32\svchost.exe[1572] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 026F0000
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 026E0FE5
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 026E0FCA
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 026E0000
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 026E0FAF
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FD0F68
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FD0F8D
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FD005B
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FD0F41
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FD0093
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FD0F15
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FD0F26
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FD0EFA
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FD0078
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FD00A4
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01030FBC
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01030F7F
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01030FCD
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01030FDE
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01030F90
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01030FA1
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01030028
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01020FC3
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FDE
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0102004E
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01020029
.text C:\WINDOWS\system32\svchost.exe[1732] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01010FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 483B0000
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 483B0036
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 483B0025
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 483A0FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 483A0F33
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 483A0F44
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 483A0F61
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 483A0F72
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 483A0014
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 483A0085
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 483A005E
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 483A00A0
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 483A0EFD
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 483A0EEC
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 483A0F8D
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 483A0FD4
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 483A0043
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 483A0FA8
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 483A0FC3
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 483A0F22
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 48380053
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!system 77C293C7 5 Bytes JMP 48380042
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 48380016
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 48380FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 48380027
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 48380FDE
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 4839002C
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 4839005B
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 48390FDB
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 48390011
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 48390F9E
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 48390FAF
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 48390000
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 48390FC0
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] WS2_32.dll!socket 71AB3B91 3 Bytes JMP 48370000
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1780] WS2_32.dll!socket + 4 71AB3B95 1 Byte [D6]
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A80FC3
.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A70058
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A70F6D
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A70F7E
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A70047
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A70025
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A70F3E
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A70090
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A700BC
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A700AB
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A700D7
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A70036
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A70073
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A70014
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A70F2D
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00AC0FC3
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00AC0F72
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00AC002F
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00AC0F97
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00AC0FA8
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0039
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0FA4
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FC6
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB0FB5
.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB0FE3
.text C:\WINDOWS\system32\svchost.exe[1820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00A90FD4
.text C:\WINDOWS\system32\svchost.exe[1820] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00A90FC3
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00700025
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00700FEF
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006F006F
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006F0F7A
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006F0F97
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006F0054
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006F0F33
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006F0F4E
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006F0F00
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006F0F11
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 006F0EEF
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 006F0FB2
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 006F0F5F
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 006F001B
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006F0F22
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E0025
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E0076
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0014
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E005B
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0040
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0F9C
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0FB7
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0027
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FD2
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[1876] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00700000
.text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00700022
.text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00700011
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006F00A8
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006F0097
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006F007A
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006F0069
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006F0047
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006F00D9
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006F0F87
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006F00FB
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006F00EA
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 006F010C
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 006F0058
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 006F0F98
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 006F002C
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 006F001B
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006F0F76
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E004E
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E003D
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E002C
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D005F
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0044
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D000C
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D001D
.text C:\WINDOWS\System32\svchost.exe[1924] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006C0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B16EFC8A
Device \FileSystem\Fastfat \Fat B17074F4

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\[email protected] ???Q????? ??????????????????????????????????&???????????????????????????????? ????????????????????????????(?????????????? ??????????????????????????????????????????????? ??????????????????????????????????????????????????????? ????????????????????????????N??????????s??????????? ????????????????????????????"?d??? ???????????????????????????????????????OEM????????????????????t??????????????????????e?????Ascii???? ??????????????s?????????????????d?????????2???C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\ACEWSS.DLL???? ???????????????????????? ?????????????????????????????????? ????????????????????????????"?>??????S?????????????????k?????????????????????????????????????g?????????????????????e??????????????????????????????SharePoint????????????????????????????????????????????????????????s???????>?????????????????Windows SharePoint Services ()????????????????????????????>?????????????????Windows SharePoint Services ()??????? ???????????????????~???????? ????? ???????????????????????r???? ?????????????????????????????????

---- EOF - GMER 1.0.15 ----
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
OK I can see a few problems there

Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully
Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

Download ComboFix from Here or Hereto your Desktop.
As you download it rename it to username123.exe


**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on renamed combofix.exe & follow the prompts.​
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues
 

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
Thanks again for quick response

Below is the log from the combofix file


ComboFix 11-11-02.01 - ipulfer 02/11/2011 13:24:04.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2172 [GMT 0:00]
Running from: c:\documents and settings\IPulfer\Desktop\username123.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\IPulfer\Application Data\Adobe\plugs
c:\documents and settings\IPulfer\Application Data\Adobe\shed
c:\documents and settings\IPulfer\Application Data\Ibci
c:\documents and settings\IPulfer\Application Data\Ibci\upfiw.tmp
c:\documents and settings\IPulfer\g2mdlhlpx.exe
c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}
c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\chrome.manifest
c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\chrome\content\_cfg.js
c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\chrome\content\overlay.xul
c:\documents and settings\IPulfer\Local Settings\Application Data\{8BA1591B-E301-42F8-A859-58C6668B05B4}\install.rdf
C:\Install.exe
c:\windows\Fonts\smaller.ttf
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\Cache
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))
.
.
2011-10-31 16:43 . 2011-10-31 16:43 388096 ----a-r- c:\documents and settings\IPulfer\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-31 16:43 . 2011-10-31 16:43 -------- d-----w- c:\program files\Trend Micro
2011-10-31 15:09 . 2011-10-31 15:09 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-17 08:47 . 2011-05-20 10:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-11 11:22 . 2008-09-04 12:41 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-11 11:22 . 2008-09-04 12:41 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-11 11:22 . 2008-09-04 12:41 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-11 11:22 . 2008-09-04 12:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-03 05:06 . 2010-07-12 10:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2009-04-20 10:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-15 09:00 . 2010-07-12 10:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 09:00 . 2010-07-12 10:38 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-08-15 09:00 . 2010-07-12 10:38 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 09:00 . 2010-07-12 10:38 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-08-15 09:00 . 2010-07-12 10:38 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 09:00 . 2010-07-12 10:38 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 09:00 . 2010-07-12 10:38 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 09:00 . 2010-07-12 10:38 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 09:00 . 2010-05-31 19:32 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 09:00 . 2010-05-31 19:32 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-12 14:01 . 2008-09-03 15:52 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-12 14:01 . 2008-09-03 15:52 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-12 14:01 . 2008-09-26 09:13 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-09-26 09:13 . 2008-09-26 09:13 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-10-04 08:39 . 2011-10-04 08:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 13:01 . 2010-07-12 10:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Starfield Updater"="c:\program files\Workspace\WorkspaceUpdate.exe" [2011-09-01 34496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2007-07-20 77922]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hueyTray.lnk - c:\program files\Pantone\huey\hueyTray.exe [2008-6-2 901120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-11 11:22 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-07-27 08:27 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 09:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2006-06-15 07:43 49152 ----a-w- c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\IPulfer\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/07/2010 10:38 89624]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2009 11:43 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [29/07/2011 10:08 3029208]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [20/06/2007 14:30 79168]
R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [16/07/2010 12:47 1185008]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [01/10/2010 08:48 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 14:31 12856]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/07/2010 10:39 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [12/07/2010 10:38 148520]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/07/2010 10:38 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/07/2010 10:38 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [29/07/2011 10:08 73728]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [25/02/2009 16:33 41272]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/07/2010 10:38 87808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - pxtdrpow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156Core.job
- c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156UA.job
- c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
.
2011-11-01 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\IPulfer\Application Data\Mozilla\Firefox\Profiles\4ydi3o4u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.getreading.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
MSConfigStartUp-UVS11 Preload - c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-02 13:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1064)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-11-02 14:00:23
ComboFix-quarantined-files.txt 2011-11-02 14:00
ComboFix2.txt 2009-03-06 09:50
.
Pre-Run: 185,885,569,024 bytes free
Post-Run: 185,976,750,080 bytes free
.
- - End Of File - - 17493EAE1B773C78106E2309EFEE8EE7
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Before we do the next step, it is very likely that the files I am setting combofix to submit for examination have already been deleted by your antivirus so won't exist.
If CF doesn't make a zip file, then don't worry about it, =just post the new report it makes

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply


Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to
http://www.bleepingcomputer.com/submit-malware.php?channel=38
 

Attachments

kipcab

Thread Starter
Joined
Oct 31, 2011
Messages
11
There wasn't any zip file(s) created - below is the log report, as requested


ComboFix 11-11-02.01 - ipulfer 02/11/2011 15:10:38.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2121 [GMT 0:00]
Running from: c:\documents and settings\IPulfer\Desktop\username123.exe
Command switches used :: c:\documents and settings\IPulfer\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))
.
.
2011-10-31 16:43 . 2011-10-31 16:43 388096 ----a-r- c:\documents and settings\IPulfer\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-31 16:43 . 2011-10-31 16:43 -------- d-----w- c:\program files\Trend Micro
2011-10-31 15:09 . 2011-10-31 15:09 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-17 08:47 . 2011-05-20 10:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-11 11:22 . 2008-09-04 12:41 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-11 11:22 . 2008-09-04 12:41 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-11 11:22 . 2008-09-04 12:41 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-11 11:22 . 2008-09-04 12:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-03 05:06 . 2010-07-12 10:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2009-04-20 10:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-15 09:00 . 2010-07-12 10:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 09:00 . 2010-07-12 10:38 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-08-15 09:00 . 2010-07-12 10:38 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 09:00 . 2010-07-12 10:38 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-08-15 09:00 . 2010-07-12 10:38 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 09:00 . 2010-07-12 10:38 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 09:00 . 2010-07-12 10:38 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 09:00 . 2010-07-12 10:38 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 09:00 . 2010-05-31 19:32 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 09:00 . 2010-05-31 19:32 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-12 14:01 . 2008-09-03 15:52 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-12 14:01 . 2008-09-03 15:52 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-12 14:01 . 2008-09-26 09:13 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-09-26 09:13 . 2008-09-26 09:13 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-10-04 08:39 . 2011-10-04 08:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 13:01 . 2010-07-12 10:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\IPulfer\Local Settings\Application Data\syafqedw ----
.
.
.
((((((((((((((((((((((((((((( [email protected]_13.50.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-02 15:36 . 2011-11-02 15:36 16384 c:\windows\TEMP\Perflib_Perfdata_380.dat
+ 2011-11-02 13:55 . 2011-11-02 14:10 1972 c:\windows\SoftwareDistribution\EventCache\{6B08D11F-2AAB-4FB4-B820-2B0CE2A4640D}.bin
+ 2011-11-02 15:38 . 2011-11-02 15:38 1936 c:\windows\SoftwareDistribution\EventCache\{46BB0F6B-67A9-4005-BB37-2DB508C4D4E6}.bin
+ 2011-01-26 12:21 . 2011-11-02 15:40 233777 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Starfield Updater"="c:\program files\Workspace\WorkspaceUpdate.exe" [2011-09-01 34496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2007-07-20 77922]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hueyTray.lnk - c:\program files\Pantone\huey\hueyTray.exe [2008-6-2 901120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-11 11:22 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-07-27 08:27 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 09:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2006-06-15 07:43 49152 ----a-w- c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\IPulfer\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/07/2010 10:38 89624]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2009 11:43 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [29/07/2011 10:08 3029208]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [20/06/2007 14:30 79168]
R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [16/07/2010 12:47 1185008]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [01/10/2010 08:48 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 14:31 12856]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/07/2010 10:38 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/07/2010 10:39 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [12/07/2010 10:38 148520]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/07/2010 10:38 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/07/2010 10:38 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [29/07/2011 10:08 73728]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2011 08:54 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [25/02/2009 16:33 41272]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/07/2010 10:38 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/07/2010 10:38 87808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-29 08:54]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156Core.job
- c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3720433489-1036791557-356997350-1156UA.job
- c:\documents and settings\IPulfer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 15:50]
.
2011-11-01 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\IPulfer\Application Data\Mozilla\Firefox\Profiles\4ydi3o4u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.getreading.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-02 15:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1068)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3800)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\documents and settings\IPulfer\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\UAService7.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
c:\program files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
.
**************************************************************************
.
Completion time: 2011-11-02 15:55:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-02 15:55
ComboFix2.txt 2011-11-02 14:00
ComboFix3.txt 2009-03-06 09:50
.
Pre-Run: 185,967,869,952 bytes free
Post-Run: 185,950,892,032 bytes free
.
- - End Of File - - C6F0E47D4B47F6995FEDA33EAD157E30
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top