1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

No Firewall No ICS Service

Discussion in 'Virus & Other Malware Removal' started by Granville, May 31, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    Hi
    Can someone help me please?
    I first discivered I had a problem when I booted up and received a message: No Firewall turned on.
    When I tried to turn on the Firewall I got the message: Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) Service?
    Nothing I do turns on the service.
    In addition Google searches are sometimes being diverted; mostly to K-Directory.Co.UK
    Spybot, Malwarebytes & SuperAntispyware couldn't trace a problem.
    Windows Onecare live online scan turned up a "Severe issue" which is couldn't fix.
    I'm running Windows XP Home Edition
    One more thing; maybe it's nothing but I had 5 goes at posting this message from my machine and lost connection each time; so now posting from a friend's PC

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:47:04, on 31/05/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
    O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - (no file)
    O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: REALTEK 11n USB Wireless LAN Utility.lnk = C:\Program Files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://asia.msi.com.tw
    O15 - Trusted Zone: http://global.msi.com.tw
    O15 - Trusted Zone: http://www.msi.com.tw
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1257338855718
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
    --
    End of file - 8094 bytes
     
  2. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    I've had some 60 views but no advice so I'm beginning to think either I haven't provided enough enough information or else it may be a tricky problem. I've tried running checks with McAfee & Trend Micro Housecall but found nothing. I've tried checks in safe mode but no success. Nothing so far seems to detect the problem except for Windows Onecare which cannot fix. I've tried system restore but no success there either.
    I think it may be a kernel rootkit. I would greatly appreciate help in removing the problem but if that's not possible could I have some advice please?
    I'm thinking of reformating the hard drive and starting over but friends (who probably know as little about computers as me) say that the problem may be so deeply embedded that I may not be able to remove it that way. They also say that if I try to copy documents, photos etc from the harddrive on to an external drive prior to reformating, I risk infesting the 2nd drive as well. So, can anyone please tell me if any of that is true and what is my best course of action?
    Thanks in advance.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully

    Download ComboFix from Here to your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
     
  4. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    Hi dvk01
    Thank you very much for looking at this for me.
    Although I had all protection off each time I tried to run ComboFix, my computer rebooted before the programme had completed Stage 1.
    I then ran it in Safe mode and obtained the followed report

    ComboFix 10-06-03.01 - Trevor 03/06/2010 23:30:01.2.1 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.824 [GMT 1:00]
    Running from: c:\documents and settings\Trevor\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
    .
    2010-05-31 21:46 . 2010-05-31 21:46 -------- d-----w- c:\program files\Trend Micro
    2010-05-27 23:02 . 2010-05-27 23:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-05-27 06:30 . 2010-05-27 06:30 -------- d-----w- c:\windows\system32\LogFiles
    2010-05-17 21:17 . 2010-05-17 21:17 -------- d-----w- c:\documents and settings\Trevor\Local Settings\Application Data\Grubby Games
    2010-05-17 21:09 . 2010-05-17 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
    2010-05-17 20:38 . 2010-05-20 19:16 -------- d-----w- c:\program files\My Tribe
    2010-05-17 20:31 . 2010-05-20 19:16 -------- d-----w- c:\program files\Royal Envoy
    2010-05-17 20:30 . 2010-05-20 19:16 -------- d-----w- c:\program files\Ricochet Infinity
    2010-05-16 20:43 . 2010-05-20 19:16 -------- d-----w- c:\program files\Broken Sword Trilogy
    2010-05-15 20:24 . 2010-05-20 19:16 -------- d-----w- c:\program files\Mystery Case Files - Return to Ravenhearst
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-03 20:45 . 2009-11-21 17:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-06-02 21:49 . 2009-11-11 00:31 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-28 00:49 . 2009-12-11 17:20 -------- d-----w- c:\program files\PopCap Games
    2010-05-28 00:49 . 2009-12-20 17:39 -------- d-----w- c:\program files\Google
    2010-05-28 00:35 . 2009-12-16 23:01 -------- d-----w- c:\program files\Luxor
    2010-05-28 00:34 . 2009-12-18 22:24 -------- d-----w- c:\program files\Chocolatier 2
    2010-05-28 00:33 . 2009-12-20 00:47 -------- d-----w- c:\program files\Star Defender 4
    2010-05-28 00:33 . 2009-12-20 00:53 -------- d-----w- c:\program files\Monarch The Butterfly King
    2010-05-28 00:32 . 2009-12-20 00:53 -------- d-----w- c:\program files\Boggle
    2010-05-28 00:31 . 2009-12-21 21:49 -------- d-----w- c:\program files\Cubozoid
    2010-05-27 23:01 . 2009-11-26 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-23 19:39 . 2009-11-08 21:43 -------- d-----w- c:\documents and settings\Trevor\Application Data\vlc
    2010-05-20 19:27 . 2009-11-27 20:54 117760 ----a-w- c:\documents and settings\Trevor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-05-20 19:26 . 2009-11-21 17:32 -------- d-----w- c:\program files\SpywareGuard
    2010-05-20 19:25 . 2009-11-21 17:35 -------- d-----w- c:\program files\SpywareBlaster
    2010-05-18 21:01 . 2009-12-18 22:02 -------- d-----w- c:\program files\Ricochet Lost Worlds
    2010-05-15 21:13 . 2010-03-22 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-05-12 17:34 . 2009-11-04 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-05-12 10:21 . 2009-11-04 14:25 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-11 20:32 . 2009-12-21 21:57 -------- d-----w- c:\program files\Ouba The Great Journey
    2010-05-04 21:00 . 2010-05-04 21:00 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-29 14:39 . 2009-11-26 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 14:39 . 2009-11-26 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-13 20:08 . 2010-04-13 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
    2010-04-13 20:06 . 2010-04-13 20:06 -------- d-----w- c:\documents and settings\Trevor\Application Data\Sports Interactive
    2010-04-13 20:05 . 2010-04-13 20:00 -------- d--h--w- c:\program files\Zero G Registry
    2010-04-13 20:00 . 2010-04-13 20:00 -------- d-----w- c:\program files\Sports Interactive
    2010-04-11 10:19 . 2010-04-11 10:19 -------- d-----w- c:\program files\Bethesda Softworks
    2010-04-11 10:19 . 2009-11-04 11:16 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-22 23:45 . 2010-03-22 23:45 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
    2010-03-20 16:34 . 2009-12-13 00:29 393 ----a-w- c:\windows\popcinfot.dat
    2010-03-18 23:49 . 2010-03-18 23:27 21840 ----atw- c:\windows\system32\SIntfNT.dll
    2010-03-18 23:49 . 2010-03-18 23:27 17212 ----atw- c:\windows\system32\SIntf32.dll
    2010-03-18 23:49 . 2010-03-18 23:27 12067 ----atw- c:\windows\system32\SIntf16.dll
    2010-03-13 11:30 . 2009-11-09 23:16 73344 ----a-w- c:\documents and settings\Trevor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-09 16:34 . 2010-03-09 16:34 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    .
    ------- Sigcheck -------
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 11:51 . 20CD1334889CF2B43F826778CA5CA0ED . 361600 . . [------] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 344064]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    c:\documents and settings\Trevor\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe [2009-12-19 962560]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
    "c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
    "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
    "53:UDP"= 53:UDP:Realtek AP UDP Prot
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 09:43 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 09:43 74480]
    S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [19/12/2009 13:06 588032]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 09:43 7408]
    S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [08/12/2009 23:41 120232]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-03 c:\windows\Tasks\User_Feed_Synchronization-{14EDD167-C4A4-4B4F-BF43-07BE3263A901}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    Trusted Zone: com.tw\www.msi
    DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    FF - ProfilePath - c:\documents and settings\Trevor\Application Data\Mozilla\Firefox\Profiles\0pet7m0p.default\
    FF - plugin: c:\documents and settings\Trevor\Application Data\Mozilla\Firefox\Profiles\0pet7m0p.default\extensions\[email protected]\plugins\npImgCtl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-03 23:35
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(200)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\l3codeca.acm
    - - - - - - - > 'explorer.exe'(1296)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-06-03 23:36:45
    ComboFix-quarantined-files.txt 2010-06-03 22:36
    ComboFix2.txt 2010-06-03 22:01
    Pre-Run: 238,383,955,968 bytes free
    Post-Run: 238,348,386,304 bytes free
    - - End Of File - - 36F0D790C1E16E5C5C4691E23D584445
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    please go to c:\qoobox & find ComboFix-quarantined-files.txt and ComboFix2.txt

    they might be inside the quarantine folder there & post them so I can see what Combofix fixed on first run
    is it still diverting on searches or has that been fixed and what about the firewall , does that turn on now
     
  6. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    Hi
    ComboFix2.txt
    ComboFix 10-06-03.01 - Trevor 03/06/2010 23:30:01.2.1 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.824 [GMT 1:00]
    Running from: c:\documents and settings\Trevor\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
    .
    2010-05-31 21:46 . 2010-05-31 21:46 -------- d-----w- c:\program files\Trend Micro
    2010-05-27 23:02 . 2010-05-27 23:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-05-27 06:30 . 2010-05-27 06:30 -------- d-----w- c:\windows\system32\LogFiles
    2010-05-17 21:17 . 2010-05-17 21:17 -------- d-----w- c:\documents and settings\Trevor\Local Settings\Application Data\Grubby Games
    2010-05-17 21:09 . 2010-05-17 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
    2010-05-17 20:38 . 2010-05-20 19:16 -------- d-----w- c:\program files\My Tribe
    2010-05-17 20:31 . 2010-05-20 19:16 -------- d-----w- c:\program files\Royal Envoy
    2010-05-17 20:30 . 2010-05-20 19:16 -------- d-----w- c:\program files\Ricochet Infinity
    2010-05-16 20:43 . 2010-05-20 19:16 -------- d-----w- c:\program files\Broken Sword Trilogy
    2010-05-15 20:24 . 2010-05-20 19:16 -------- d-----w- c:\program files\Mystery Case Files - Return to Ravenhearst
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-03 20:45 . 2009-11-21 17:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-06-02 21:49 . 2009-11-11 00:31 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-28 00:49 . 2009-12-11 17:20 -------- d-----w- c:\program files\PopCap Games
    2010-05-28 00:49 . 2009-12-20 17:39 -------- d-----w- c:\program files\Google
    2010-05-28 00:35 . 2009-12-16 23:01 -------- d-----w- c:\program files\Luxor
    2010-05-28 00:34 . 2009-12-18 22:24 -------- d-----w- c:\program files\Chocolatier 2
    2010-05-28 00:33 . 2009-12-20 00:47 -------- d-----w- c:\program files\Star Defender 4
    2010-05-28 00:33 . 2009-12-20 00:53 -------- d-----w- c:\program files\Monarch The Butterfly King
    2010-05-28 00:32 . 2009-12-20 00:53 -------- d-----w- c:\program files\Boggle
    2010-05-28 00:31 . 2009-12-21 21:49 -------- d-----w- c:\program files\Cubozoid
    2010-05-27 23:01 . 2009-11-26 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-23 19:39 . 2009-11-08 21:43 -------- d-----w- c:\documents and settings\Trevor\Application Data\vlc
    2010-05-20 19:27 . 2009-11-27 20:54 117760 ----a-w- c:\documents and settings\Trevor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-05-20 19:26 . 2009-11-21 17:32 -------- d-----w- c:\program files\SpywareGuard
    2010-05-20 19:25 . 2009-11-21 17:35 -------- d-----w- c:\program files\SpywareBlaster
    2010-05-18 21:01 . 2009-12-18 22:02 -------- d-----w- c:\program files\Ricochet Lost Worlds
    2010-05-15 21:13 . 2010-03-22 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-05-12 17:34 . 2009-11-04 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-05-12 10:21 . 2009-11-04 14:25 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-11 20:32 . 2009-12-21 21:57 -------- d-----w- c:\program files\Ouba The Great Journey
    2010-05-04 21:00 . 2010-05-04 21:00 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-29 14:39 . 2009-11-26 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 14:39 . 2009-11-26 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-13 20:08 . 2010-04-13 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
    2010-04-13 20:06 . 2010-04-13 20:06 -------- d-----w- c:\documents and settings\Trevor\Application Data\Sports Interactive
    2010-04-13 20:05 . 2010-04-13 20:00 -------- d--h--w- c:\program files\Zero G Registry
    2010-04-13 20:00 . 2010-04-13 20:00 -------- d-----w- c:\program files\Sports Interactive
    2010-04-11 10:19 . 2010-04-11 10:19 -------- d-----w- c:\program files\Bethesda Softworks
    2010-04-11 10:19 . 2009-11-04 11:16 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-22 23:45 . 2010-03-22 23:45 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
    2010-03-20 16:34 . 2009-12-13 00:29 393 ----a-w- c:\windows\popcinfot.dat
    2010-03-18 23:49 . 2010-03-18 23:27 21840 ----atw- c:\windows\system32\SIntfNT.dll
    2010-03-18 23:49 . 2010-03-18 23:27 17212 ----atw- c:\windows\system32\SIntf32.dll
    2010-03-18 23:49 . 2010-03-18 23:27 12067 ----atw- c:\windows\system32\SIntf16.dll
    2010-03-13 11:30 . 2009-11-09 23:16 73344 ----a-w- c:\documents and settings\Trevor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-09 16:34 . 2010-03-09 16:34 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    .
    ------- Sigcheck -------
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 11:51 . 20CD1334889CF2B43F826778CA5CA0ED . 361600 . . [------] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 344064]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    c:\documents and settings\Trevor\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe [2009-12-19 962560]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
    "c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
    "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
    "53:UDP"= 53:UDP:Realtek AP UDP Prot
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 09:43 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 09:43 74480]
    S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [19/12/2009 13:06 588032]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 09:43 7408]
    S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [08/12/2009 23:41 120232]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-03 c:\windows\Tasks\User_Feed_Synchronization-{14EDD167-C4A4-4B4F-BF43-07BE3263A901}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    Trusted Zone: com.tw\www.msi
    DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    FF - ProfilePath - c:\documents and settings\Trevor\Application Data\Mozilla\Firefox\Profiles\0pet7m0p.default\
    FF - plugin: c:\documents and settings\Trevor\Application Data\Mozilla\Firefox\Profiles\0pet7m0p.default\extensions\[email protected]\plugins\npImgCtl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-03 23:35
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(200)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\l3codeca.acm
    - - - - - - - > 'explorer.exe'(1296)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-06-03 23:36:45
    ComboFix-quarantined-files.txt 2010-06-03 22:36
    ComboFix2.txt 2010-06-03 22:01
    Pre-Run: 238,383,955,968 bytes free
    Post-Run: 238,348,386,304 bytes free
    - - End Of File - - 36F0D790C1E16E5C5C4691E23D584445

    ComboFix-quarantined-files.txt
    2010-06-03 21:58:54 . 2010-06-03 22:34:25 10,009 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2010-06-03 20:46:40 . 2010-06-03 22:29:15 459 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2009-11-04 16:08:55 . 2009-09-30 06:13:25 84 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Trevor\Favorites\Games.url.vir

    Re the Firewall. I managed to get to Firewall Settings as it booted up first time and Firewall was set to on but as it startup continued it switched off and has remained off on subsequent reboots.
    Whilst typing this message, a fresh browser tab opened in IE8 and it went to Memoletter.com so unfortunately its still playing up.

    Noted about the Hedgehog Rescue Centre - will donate :)
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    no

    you postted the original combofix.txt again, NOT combofix2.txt
     
  8. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    Hi
    File I sent def marked Combofix2.txt but I agree its the same. I can't explain.
    I also have a Combofix3.txt which I have attached below; I hope that its whats needed.
    Other folders on the drive are:
    BackEnv, LastRun, Test. TestC, Quarantine which has subfolders C & Registry_backups also catchme.log
    Also in Qoobox Add-Remove Programnmes.txt, Combofix2.txt (already sent) Combofix3.txt (please see below) ComboFix-quarantined-files.txt (already sent) & a Snapshot dat file
    I hope that helps. I can't see any other Combofix files.

    ComboFix 10-06-03.01 - Trevor 03/06/2010 22:54:19.1.1 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.822 [GMT 1:00]
    Running from: c:\documents and settings\Trevor\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Trevor\Favorites\Games.url
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
    .
    2010-05-31 21:46 . 2010-05-31 21:46 -------- d-----w- c:\program files\Trend Micro
    2010-05-27 23:02 . 2010-05-27 23:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-05-27 06:30 . 2010-05-27 06:30 -------- d-----w- c:\windows\system32\LogFiles
    2010-05-17 21:17 . 2010-05-17 21:17 -------- d-----w- c:\documents and settings\Trevor\Local Settings\Application Data\Grubby Games
    2010-05-17 21:09 . 2010-05-17 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
    2010-05-17 20:38 . 2010-05-20 19:16 -------- d-----w- c:\program files\My Tribe
    2010-05-17 20:31 . 2010-05-20 19:16 -------- d-----w- c:\program files\Royal Envoy
    2010-05-17 20:30 . 2010-05-20 19:16 -------- d-----w- c:\program files\Ricochet Infinity
    2010-05-16 20:43 . 2010-05-20 19:16 -------- d-----w- c:\program files\Broken Sword Trilogy
    2010-05-15 20:24 . 2010-05-20 19:16 -------- d-----w- c:\program files\Mystery Case Files - Return to Ravenhearst
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-03 20:45 . 2009-11-21 17:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-06-02 21:49 . 2009-11-11 00:31 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-28 00:49 . 2009-12-11 17:20 -------- d-----w- c:\program files\PopCap Games
    2010-05-28 00:49 . 2009-12-20 17:39 -------- d-----w- c:\program files\Google
    2010-05-28 00:35 . 2009-12-16 23:01 -------- d-----w- c:\program files\Luxor
    2010-05-28 00:34 . 2009-12-18 22:24 -------- d-----w- c:\program files\Chocolatier 2
    2010-05-28 00:33 . 2009-12-20 00:47 -------- d-----w- c:\program files\Star Defender 4
    2010-05-28 00:33 . 2009-12-20 00:53 -------- d-----w- c:\program files\Monarch The Butterfly King
    2010-05-28 00:32 . 2009-12-20 00:53 -------- d-----w- c:\program files\Boggle
    2010-05-28 00:31 . 2009-12-21 21:49 -------- d-----w- c:\program files\Cubozoid
    2010-05-27 23:01 . 2009-11-26 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-23 19:39 . 2009-11-08 21:43 -------- d-----w- c:\documents and settings\Trevor\Application Data\vlc
    2010-05-20 19:27 . 2009-11-27 20:54 117760 ----a-w- c:\documents and settings\Trevor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-05-20 19:26 . 2009-11-21 17:32 -------- d-----w- c:\program files\SpywareGuard
    2010-05-20 19:25 . 2009-11-21 17:35 -------- d-----w- c:\program files\SpywareBlaster
    2010-05-18 21:01 . 2009-12-18 22:02 -------- d-----w- c:\program files\Ricochet Lost Worlds
    2010-05-15 21:13 . 2010-03-22 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-05-12 17:34 . 2009-11-04 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-05-12 10:21 . 2009-11-04 14:25 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-11 20:32 . 2009-12-21 21:57 -------- d-----w- c:\program files\Ouba The Great Journey
    2010-05-04 21:00 . 2010-05-04 21:00 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-29 14:39 . 2009-11-26 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 14:39 . 2009-11-26 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-13 20:08 . 2010-04-13 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
    2010-04-13 20:06 . 2010-04-13 20:06 -------- d-----w- c:\documents and settings\Trevor\Application Data\Sports Interactive
    2010-04-13 20:05 . 2010-04-13 20:00 -------- d--h--w- c:\program files\Zero G Registry
    2010-04-13 20:00 . 2010-04-13 20:00 -------- d-----w- c:\program files\Sports Interactive
    2010-04-11 10:19 . 2010-04-11 10:19 -------- d-----w- c:\program files\Bethesda Softworks
    2010-04-11 10:19 . 2009-11-04 11:16 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-22 23:45 . 2010-03-22 23:45 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
    2010-03-20 16:34 . 2009-12-13 00:29 393 ----a-w- c:\windows\popcinfot.dat
    2010-03-18 23:49 . 2010-03-18 23:27 21840 ----atw- c:\windows\system32\SIntfNT.dll
    2010-03-18 23:49 . 2010-03-18 23:27 17212 ----atw- c:\windows\system32\SIntf32.dll
    2010-03-18 23:49 . 2010-03-18 23:27 12067 ----atw- c:\windows\system32\SIntf16.dll
    2010-03-13 11:30 . 2009-11-09 23:16 73344 ----a-w- c:\documents and settings\Trevor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-09 16:34 . 2010-03-09 16:34 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    .
    ------- Sigcheck -------
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 11:51 . 20CD1334889CF2B43F826778CA5CA0ED . 361600 . . [------] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 344064]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    c:\documents and settings\Trevor\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe [2009-12-19 962560]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
    "c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
    "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
    "53:UDP"= 53:UDP:Realtek AP UDP Prot
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 09:43 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 09:43 74480]
    S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [19/12/2009 13:06 588032]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 09:43 7408]
    S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [08/12/2009 23:41 120232]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-03 c:\windows\Tasks\User_Feed_Synchronization-{14EDD167-C4A4-4B4F-BF43-07BE3263A901}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    Trusted Zone: com.tw\www.msi
    DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    FF - ProfilePath - c:\documents and settings\Trevor\Application Data\Mozilla\Firefox\Profiles\0pet7m0p.default\
    FF - plugin: c:\documents and settings\Trevor\Application Data\Mozilla\Firefox\Profiles\0pet7m0p.default\extensions\[email protected]\plugins\npImgCtl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-03 22:59
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(200)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\l3codeca.acm
    .
    Completion time: 2010-06-03 23:01:08
    ComboFix-quarantined-files.txt 2010-06-03 22:01
    Pre-Run: 238,402,613,248 bytes free
    Post-Run: 238,379,589,632 bytes free
    - - End Of File - - B815D4D1B17940C31AA9B973F8B9173B
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    nothing showing so far to explain it

    download gmer rootkit detector from http://gmer.net

    unzip it & double click the gmer.exe file

    It will do a quick scan automatically, when that finishes select the rootkit tab & press scan. When it finishes press copy & post back the log it makes
     
  10. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    Apologies for delay; I've not had access to computer for a week.
    Please find log below:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-06-12 22:19:41
    Windows 5.1.2600 Service Pack 3
    Running: btbmunnu.exe; Driver: C:\DOCUME~1\Trevor\LOCALS~1\Temp\axlyyfob.sys

    ---- System - GMER 1.0.15 ----
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA4DC57FB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA4DC580F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA4DC583B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA4DC57E7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA4DC5825]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA4DC5851]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA4DC5867]
    ---- Kernel code sections - GMER 1.0.15 ----
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP A4DC586B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP A4DC5855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP A4DC5829 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP A4DC57FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP A4DC5813 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP A4DC583F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP A4DC57EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    .rsrc C:\WINDOWS\system32\DRIVERS\tcpip.sys entry point in ".rsrc" section [0xAAF8CA94]
    ---- User code sections - GMER 1.0.15 ----
    .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
    .text C:\WINDOWS\System32\svchost.exe[1368] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
    .text C:\WINDOWS\System32\svchost.exe[1368] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D8000A
    .text C:\WINDOWS\Explorer.EXE[2308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001F000A
    .text C:\WINDOWS\Explorer.EXE[2308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0020000A
    .text C:\WINDOWS\Explorer.EXE[2308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 001E000C
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[2700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[2700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[2700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[2700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    Device -> \Driver\nvata \Device\Harddisk0\DR0 8577BD01
    ---- Files - GMER 1.0.15 ----
    File C:\WINDOWS\system32\DRIVERS\tcpip.sys suspicious modification
    File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification
    ---- EOF - GMER 1.0.15 ----
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
  12. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    I've run tdss killer and rebooted as the programme instructed after the scan ran and it has rebooted with Windows Firewall now on. :)
    23:00:53:062 1364 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
    23:00:53:062 1364 ================================================================================
    23:00:53:062 1364 SystemInfo:

    23:00:53:062 1364 OS Version: 5.1.2600 ServicePack: 3.0
    23:00:53:062 1364 Product type: Workstation
    23:00:53:062 1364 ComputerName: TREVOR-DESKTOP
    23:00:53:062 1364 UserName: Trevor
    23:00:53:062 1364 Windows directory: C:\WINDOWS
    23:00:53:062 1364 Processor architecture: Intel x86
    23:00:53:062 1364 Number of processors: 1
    23:00:53:062 1364 Page size: 0x1000
    23:00:53:062 1364 Boot type: Normal boot
    23:00:53:062 1364 ================================================================================
    23:00:53:421 1364 Initialize success
    23:00:53:421 1364
    23:00:53:421 1364 Scanning Services ...
    23:00:53:484 1364 Raw services enum returned 352 services
    23:00:53:500 1364
    23:00:53:500 1364 Scanning Drivers ...
    23:00:53:953 1364 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    23:00:54:000 1364 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    23:00:54:015 1364 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    23:00:54:031 1364 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    23:00:54:062 1364 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    23:00:54:171 1364 ALCXWDM (0a24f3d25cde25a2eb6f2f9770fc471b) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    23:00:54:281 1364 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    23:00:54:296 1364 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    23:00:54:328 1364 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    23:00:54:343 1364 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    23:00:54:390 1364 ati2mtag (f43601d255762f20d0e23a6d97062b0d) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    23:00:54:453 1364 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    23:00:54:484 1364 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    23:00:54:484 1364 basic2 (7ff067e8cdf01f2435686fc0e4b4290d) C:\WINDOWS\system32\DRIVERS\basic2.sys
    23:00:54:515 1364 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    23:00:54:578 1364 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    23:00:54:609 1364 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    23:00:54:609 1364 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    23:00:54:640 1364 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    23:00:54:640 1364 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    23:00:54:687 1364 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    23:00:54:734 1364 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    23:00:54:765 1364 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    23:00:54:781 1364 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    23:00:54:812 1364 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    23:00:54:828 1364 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    23:00:54:859 1364 Fallback (5ad63ed331635a3e3b0f1aeef728708d) C:\WINDOWS\system32\DRIVERS\fallback.sys
    23:00:54:906 1364 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    23:00:54:937 1364 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    23:00:54:953 1364 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    23:00:54:968 1364 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    23:00:54:984 1364 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    23:00:55:000 1364 Fsks (9d5a24ae60b360d6e38f0afad61bc7ce) C:\WINDOWS\system32\DRIVERS\fsksnt.sys
    23:00:55:000 1364 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    23:00:55:015 1364 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    23:00:55:031 1364 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    23:00:55:078 1364 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
    23:00:55:125 1364 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
    23:00:55:187 1364 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    23:00:55:203 1364 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    23:00:55:234 1364 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    23:00:55:250 1364 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    23:00:55:281 1364 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    23:00:55:296 1364 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    23:00:55:312 1364 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    23:00:55:343 1364 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    23:00:55:359 1364 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    23:00:55:375 1364 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    23:00:55:421 1364 K56 (96efeedaa0509fb7e0e29b8714c4df47) C:\WINDOWS\system32\DRIVERS\k56nt.sys
    23:00:55:437 1364 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    23:00:55:453 1364 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
    23:00:55:484 1364 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    23:00:55:500 1364 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    23:00:55:531 1364 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
    23:00:55:531 1364 mdmxsdk (98d8a239489211b2f230267485c5c127) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    23:00:55:546 1364 mfeapfk (fb8536dce0009ecd4f72a173276cded3) C:\WINDOWS\system32\drivers\mfeapfk.sys
    23:00:55:562 1364 mfeavfk (876fce4b0ee84c7530ab22e8a60322ea) C:\WINDOWS\system32\drivers\mfeavfk.sys
    23:00:55:578 1364 mfebopk (87e2482fd7ad621c8b2009e3c4046b72) C:\WINDOWS\system32\drivers\mfebopk.sys
    23:00:55:578 1364 mfehidk (9ed75df41a13784455effaf5ee1130c4) C:\WINDOWS\system32\drivers\mfehidk.sys
    23:00:55:625 1364 mferkdk (18c277c693c7c0a8916585e5324d4887) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
    23:00:55:640 1364 mfetdik (03cc70c8f848e70a1725925d8fce0f7b) C:\WINDOWS\system32\drivers\mfetdik.sys
    23:00:55:656 1364 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    23:00:55:687 1364 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    23:00:55:703 1364 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    23:00:55:718 1364 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    23:00:55:718 1364 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    23:00:55:734 1364 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    23:00:55:781 1364 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    23:00:55:796 1364 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    23:00:55:828 1364 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    23:00:55:843 1364 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    23:00:55:843 1364 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    23:00:55:859 1364 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    23:00:55:890 1364 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    23:00:55:906 1364 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    23:00:55:921 1364 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    23:00:55:937 1364 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    23:00:55:968 1364 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    23:00:55:984 1364 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    23:00:56:000 1364 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    23:00:56:015 1364 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    23:00:56:015 1364 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    23:00:56:031 1364 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    23:00:56:046 1364 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    23:00:56:062 1364 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    23:00:56:062 1364 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    23:00:56:093 1364 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    23:00:56:140 1364 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    23:00:56:156 1364 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys
    23:00:56:156 1364 NVENETFD (720cc533eecb65553bd86b139ca04433) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    23:00:56:187 1364 nvnetbus (5f9f545cc5904dd8765f84ee1d056406) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    23:00:56:218 1364 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    23:00:56:218 1364 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    23:00:56:234 1364 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    23:00:56:250 1364 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    23:00:56:265 1364 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    23:00:56:281 1364 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    23:00:56:281 1364 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    23:00:56:296 1364 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    23:00:56:312 1364 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    23:00:56:437 1364 PID_PEPI (dd184d9adfe2a8a21741dbdfe9e22f5c) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
    23:00:56:546 1364 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    23:00:56:562 1364 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    23:00:56:562 1364 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    23:00:56:578 1364 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    23:00:56:609 1364 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    23:00:56:609 1364 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    23:00:56:625 1364 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    23:00:56:625 1364 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    23:00:56:640 1364 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    23:00:56:640 1364 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    23:00:56:671 1364 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    23:00:56:703 1364 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    23:00:56:718 1364 Rksample (9db32d3ff4a6414d408a99a4be1c6b62) C:\WINDOWS\system32\DRIVERS\rksample.sys
    23:00:56:750 1364 RTL8192su (7bfdf13721f0366212ab8e94361a05bd) C:\WINDOWS\system32\DRIVERS\RTL8192su.sys
    23:00:56:921 1364 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    23:00:56:953 1364 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    23:00:56:953 1364 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    23:00:56:968 1364 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    23:00:56:984 1364 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    23:00:57:000 1364 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    23:00:57:015 1364 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    23:00:57:031 1364 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    23:00:57:062 1364 SoftFax (be4cd9ad0ac8933c831b2ca8d2f70323) C:\WINDOWS\system32\DRIVERS\faxnt.sys
    23:00:57:093 1364 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    23:00:57:109 1364 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    23:00:57:140 1364 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    23:00:57:171 1364 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    23:00:57:171 1364 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    23:00:57:187 1364 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    23:00:57:203 1364 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    23:00:57:250 1364 Tcpip (20cd1334889cf2b43f826778ca5ca0ed) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    23:00:57:250 1364 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: 20cd1334889cf2b43f826778ca5ca0ed, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
    23:00:57:250 1364 File "C:\WINDOWS\system32\DRIVERS\tcpip.sys" infected by TDSS rootkit ... 23:00:58:062 1364 Backup copy found, using it..
    23:00:58:250 1364 will be cured on next reboot
    23:00:58:296 1364 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    23:00:58:312 1364 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    23:00:58:328 1364 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    23:00:58:359 1364 Tones (0dc791a7d9c621c822fe727c7c757894) C:\WINDOWS\system32\DRIVERS\tonesnt.sys
    23:00:58:390 1364 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    23:00:58:421 1364 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    23:00:58:468 1364 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    23:00:58:500 1364 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    23:00:58:515 1364 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    23:00:58:515 1364 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    23:00:58:531 1364 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    23:00:58:562 1364 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    23:00:58:578 1364 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    23:00:58:609 1364 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    23:00:58:656 1364 V124 (5098916a3ef92e5fdb6677e225d14860) C:\WINDOWS\system32\DRIVERS\v124nt.sys
    23:00:58:671 1364 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    23:00:58:703 1364 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    23:00:58:718 1364 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    23:00:58:765 1364 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    23:00:58:796 1364 winachsf (b6aad96fcc3daf09fb7901b0b6c5d912) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    23:00:58:843 1364 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    23:00:58:875 1364 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    23:00:58:890 1364 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    23:00:58:906 1364 yukonwxp (121805040c826638ceb541bf968e7c5b) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
    23:00:59:000 1364 Reboot required for cure complete..
    23:00:59:140 1364 Cure on reboot scheduled successfully
    23:00:59:140 1364
    23:00:59:140 1364 Completed
    23:00:59:140 1364
    23:00:59:140 1364 Results:
    23:00:59:140 1364 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    23:00:59:140 1364 File objects infected / cured / cured on reboot: 1 / 0 / 1
    23:00:59:140 1364
    23:00:59:140 1364 KLMD(ARK) unloaded successfully

    Do you think its OK now please?
    If its is OK; then should I consider changing my Firewall and perhaps also switching to Kaspersky from McAffee?
    Thanks for all your help I would never have found tdsskiller without your assistance.
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    can you run gmer again please as I want to check something
     
  14. Granville

    Granville Thread Starter

    Joined:
    May 28, 2010
    Messages:
    9
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-06-13 10:50:48
    Windows 5.1.2600 Service Pack 3
    Running: btbmunnu.exe; Driver: C:\DOCUME~1\Trevor\LOCALS~1\Temp\axlyyfob.sys

    ---- System - GMER 1.0.15 ----
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA3EA687B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA3EA67FB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA3EA68A5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA3EA680F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA3EA683B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA3EA68CF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA3EA67E7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA3EA688F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA3EA6825]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA3EA6851]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA3EA6867]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA3EA68E5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA3EA68B9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    ---- Kernel code sections - GMER 1.0.15 ----
    .text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP A3EA68BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP A3EA687F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP A3EA68D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP A3EA68E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP A3EA6893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP A3EA68A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP A3EA686B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP A3EA6855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP A3EA6829 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP A3EA67FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP A3EA6813 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP A3EA683F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP A3EA67EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ---- User code sections - GMER 1.0.15 ----
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB000A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0FA5
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB009A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0073
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0058
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0FC0
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F6D
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F7E
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB00F5
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB0F5C
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB0110
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0047
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0FE5
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB00B5
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB002C
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB001B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB00D0
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008C0FCA
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008C0062
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008C001B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008C0000
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008C0FAF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008C0FEF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008C0051
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008C0036
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008B0055
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] msvcrt.dll!system 77C293C7 5 Bytes JMP 008B0FD4
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008B0FEF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008B0000
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008B0044
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008B001D
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[228] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008A0000
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40000
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F5C
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F6D
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40F88
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40FA5
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40040
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40082
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40F30
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B400BF
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400A4
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40F0B
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40051
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FEF
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40F41
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B4002F
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40FD4
    .text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40093
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30FBC
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30F9A
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FCD
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B30FDE
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B3004D
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30FEF
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B30FAB
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D3, 88]
    .text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B30028
    .text C:\WINDOWS\system32\svchost.exe[260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20F9C
    .text C:\WINDOWS\system32\svchost.exe[260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FAD
    .text C:\WINDOWS\system32\svchost.exe[260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B2001D
    .text C:\WINDOWS\system32\svchost.exe[260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
    .text C:\WINDOWS\system32\svchost.exe[260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20FD2
    .text C:\WINDOWS\system32\svchost.exe[260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FE3
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026E0FEF
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026E0F66
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026E0051
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026E0040
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026E0025
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026E0F8D
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026E009D
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026E008C
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026E0F1F
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026E00B8
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026E00C9
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026E0014
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026E0FD4
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026E0F55
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026E0FA8
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026E0FB9
    .text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026E0F3A
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 026D0039
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 026D0F8D
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 026D0FDE
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 026D0014
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 026D0FA8
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 026D0FEF
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 026D0FC3
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8D, 8A]
    .text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 026D004A
    .text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026C0FB9
    .text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!system 77C293C7 5 Bytes JMP 026C0FCA
    .text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026C003A
    .text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026C0000
    .text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026C0FDB
    .text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026C0029
    .text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02660FEF
    .text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0266000A
    .text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0266001B
    .text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02660FCA
    .text C:\WINDOWS\Explorer.EXE[848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FEF
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F79
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F8A
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70062
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70047
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70025
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F68
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F700A4
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F21
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70F32
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700DF
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70036
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70FCA
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70089
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FAF
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70000
    .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70F4D
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60FC0
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60051
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60FD1
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60011
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60040
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F60F94
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 89]
    .text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FAF
    .text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50FA6
    .text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50FB7
    .text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F5001D
    .text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FEF
    .text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FC8
    .text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F5000C
    .text C:\WINDOWS\system32\services.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40000
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B6000A
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B600A4
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60093
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B6006C
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60FAF
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60036
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60F83
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60F94
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B6010B
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F72
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B60F57
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60051
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60FEF
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B600BF
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60025
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B60FD4
    .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B600E6
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50FCA
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50F83
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B5001B
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B50FE5
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50F94
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B50036
    .text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B50FB9
    .text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B4003A
    .text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40FAF
    .text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40FDE
    .text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40000
    .text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40029
    .text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40FEF
    .text C:\WINDOWS\system32\lsass.exe[1096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0FEF
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0053
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0038
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0F5E
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0F6F
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0FA5
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA008B
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0064
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00B0
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA0F0D
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0EFC
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0F8A
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0000
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0F43
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FC0
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0011
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA0F28
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FCA
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90FA5
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FEF
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A9001B
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90058
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A9000A
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A90047
    .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90036
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FB2
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80FC3
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8002C
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80000
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A8003D
    .text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80011
    .text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA006F
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F70
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F97
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0054
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FB9
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F55
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA009D
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00C2
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F29
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F0E
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FA8
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDB
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0080
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FCA
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA001B
    .text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F3A
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B9002F
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90065
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B9001E
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FDE
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90FA8
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FC3
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
    .text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B9004A
    .text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B8002E
    .text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FA3
    .text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FE3
    .text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
    .text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FC8
    .text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8001D
    .text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FEF
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027D0000
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027D0091
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027D0080
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027D0065
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027D0FA8
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027D0040
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027D0F50
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027D00A2
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027D00C7
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027D0F2E
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027D0F13
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027D0FB9
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027D0FEF
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027D0F81
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027D002F
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027D0FDE
    .text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027D0F3F
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027C001B
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027C0F83
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027C0000
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027C0FCA
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027C0F94
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027C0FE5
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027C0FA5
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 8A]
    .text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027C002C
    .text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027B0FBE
    .text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 027B0049
    .text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027B0FE3
    .text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027B000C
    .text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027B0038
    .text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027B001D
    .text C:\WINDOWS\System32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022C000A
    .text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 022B0FEF
    .text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 022B0000
    .text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 022B0FD4
    .text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 022B0FAF
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0000
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0089
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0078
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F9E
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FAF
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0051
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F52
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F63
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F01
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F12
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00B5
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0FC0
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FEF
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B009A
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0036
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0025
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B0F37
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FDE
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A006C
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A002F
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FEF
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0FA5
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A000A
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A0051
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0040
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790F89
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790F9A
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790FC6
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790FAB
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FD7
    .text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0085
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C006A
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F86
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F97
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FB2
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F64
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C00A0
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F1D
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C0F38
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0F02
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0039
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FDE
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F75
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FC3
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0014
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F53
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FC3
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0FB2
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FDE
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B000A
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0065
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FEF
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B0054
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0039
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0053
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0042
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FD2
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0031
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A000C
    .text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F5F
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA004A
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0039
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F7C
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FA8
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00A0
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0079
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F11
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F2C
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00C5
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F97
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F4E
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FC3
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
    .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F3D
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FE5
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930091
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093002C
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930011
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930076
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093005B
    .text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FD4
    .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FA1
    .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FBC
    .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001B
    .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
    .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092002C
    .text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD7
    .text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
    .text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FDE
    .text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FC3
    .text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900FA8
    .text C:\WINDOWS\system32\svchost.exe[1900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01D00000
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01D00F87
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01D00F98
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01D00072
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01D00055
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01D00044
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01D000B9
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01D000A8
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01D000EC
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01D000DB
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01D00F38
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01D00FB3
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01D00011
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01D00097
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01D00033
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01D00022
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01D000CA
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01CF001B
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01CF0F8D
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01CF0FD4
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01CF0FE5
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01CF0F9E
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01CF0000
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01CF0040
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01CF0FAF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01CE0036
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] msvcrt.dll!system 77C293C7 5 Bytes JMP 01CE0FAB
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01CE0000
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01CE0FE3
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01CE0025
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01CE0FD2
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CD0000
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01962F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01962C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01962CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01962CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    ---- EOF - GMER 1.0.15 ----
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That looks like it has been cured now

    I wouldn't guarantee that Kaspersky would have stopped this one installing but it most likely would have done, where Mcafee missed it

    Normally this particular malware comes when downloading games or movies via P2P or from "dubious" sources but has started to be spread through exploits in out of date software like adobe reader, flash or java, so it is essential to do the secunia scan & update everything it finds

    *Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
    * Click START then RUN
    * Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    [​IMG]

    This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Firewall Service
  1. slavka05
    Replies:
    14
    Views:
    648
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/926378

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice