Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iaStor.sys is being suspiciously modified


  • This topic is locked This topic is locked
11 replies to this topic

#1 jeswald

jeswald

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 03 February 2010 - 06:47 PM

Hi all,

I am suffering from the Google redirect problem. Whenever I do a Google search, clicking on the resulting links takes me to random sites. Interestingly, clicking "back" then clicking the link again takes me to the right site. The computer otherwise works fine. McAfee and MBAM report no problems.

I am running:
Windows XP SP3
Firefox 3.6, IE 8.0 (the problem shows up in both browsers)

In the "Am I infected? What do I do?" Boopme instructed me to submit my GMER and DDS logs here. They are found below; the attach file is, well, attached.

Thanks for your help!

J

DDS Log
======

DDS (Ver_09-12-01.01) - NTFSx86
Run by Jesse at 18:38:11.40 on Wed 02/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2277 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
svchost.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\deskbar-0.5.95.0\ggviewer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Event\Ezbus\EZbus Tray Menu.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Eudora\eudora.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\LaunchPd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [OfotoNow USB Detection] c:\windows\system32\rundll32.exe c:\progra~1\ofoto\ofotonow\OFUSBS.DLL,WatchForConnection OfotoNow
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
uRunOnce: [FFTI] c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\{b13721c7-f507-4982-b2e5-502a71474fed}\ffti.exe /verysilent /suppressmsgboxes /norestart /destpath="c:\documents and settings\jesse\application data\mozilla\firefox\profiles/fcrybis1.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\ATIPTAXX.EXE
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Corel Painter Essentials 21a] c:\program files\corel\corel painter essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=020610 serial=PE02CBX-0000003-NMD lang=EN
mRun: [SSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O11 "IP_10.0.1.1" /M "Stylus CX7800"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [M-Audio Taskbar Icon] c:\windows\system32\MAFWTray.exe
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ezbust~1.lnk - c:\program files\event\ezbus\EZbus Tray Menu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jesse\applic~1\mozilla\firefox\profiles\fcrybis1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com
FF - component: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2005-7-1 18110]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2007-7-19 33824]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2005-7-1 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2005-7-1 423454]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-22 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-22 144704]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]
R3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2009-2-14 193032]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-22 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-22 40552]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [2005-7-1 64964]
S1 xpnrhjgk;xpnrhjgk;\??\c:\windows\system32\drivers\xpnrhjgk.sys --> c:\windows\system32\drivers\xpnrhjgk.sys [?]
S3 ezbus;ezbus;c:\windows\system32\drivers\ezbus.sys [2004-12-8 20228]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-22 34248]
S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2007-11-25 32720]

=============== Created Last 30 ================

2010-02-02 00:37:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 00:37:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 23:58:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-01 23:58:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 05:24:46 0 d-----w- c:\windows\system32\MpEngineStore
2010-01-27 23:54:52 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-27 18:58:57 0 d-----w- c:\temp\ProcessExplorer
2010-01-27 18:43:44 130 ----a-w- c:\windows\system32\tablet.dat
2010-01-27 18:41:46 14589 ----a-w- c:\windows\system32\Config.MPF
2010-01-27 17:44:45 2206 ----a-w- c:\windows\system32\wpa.dbl
2010-01-27 17:08:17 0 d-----w- c:\docume~1\jesse\applic~1\Malwarebytes
2010-01-27 17:08:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-27 17:08:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 16:11:43 135680 ----a-w- c:\temp\taskmgr_ja.exe
2010-01-27 01:43:25 1 ----a-w- C:\s

==================== Find3M ====================

2010-01-02 12:20:12 353 ----a-w- C:\ntbackup.cmd
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 16:58:58 70984 ----a-w- c:\documents and settings\jesse\g2mdlhlpx.exe
2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2008-11-26 23:01:08 88 --sh--r- c:\windows\system32\EA2D0A5A27.sys
2009-02-14 22:15:30 2254 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-03-22 14:49:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032220090323\index.dat

============= FINISH: 18:39:35.32 ===============

GMER Log
=======
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-02 22:54:21
Windows 5.1.2600 Service Pack 3
Running: p4q59ohd.exe; Driver: C:\DOCUME~1\Jesse\LOCALS~1\Temp\uxtiraoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA690C78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA690C821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA690C738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA690C74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA690C835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA690C861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA690C8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA690C8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA690C7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA690C8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA690C80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA690C710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA690C724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA690C79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA690C937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA690C8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA690C88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA690C84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA690C923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA690C90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA690C776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA690C762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA690C877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA690C7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA690C8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA690C7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA690C7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP A690C7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP A690C811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 80573037 7 Bytes JMP A690C891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057791D 5 Bytes JMP A690C825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80578A14 7 Bytes JMP A690C93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 7 Bytes JMP A690C8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP A690C78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP A690C766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP A690C7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP A690C7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP A690C714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP A690C7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8058228C 7 Bytes JMP A690C87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80587693 3 Bytes JMP A690C8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey + 4 80587697 3 Bytes [26, 90, 90]
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP A690C750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP A690C7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP A690C865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP A690C839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP A690C73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1941 5 Bytes JMP A690C728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 805E2197 5 Bytes JMP A690C8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635977 5 Bytes JMP A690C77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80654DE6 7 Bytes JMP A690C8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8065570C 7 Bytes JMP A690C8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B88 7 Bytes JMP A690C84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8065607D 5 Bytes JMP A690C913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 806564E8 5 Bytes JMP A690C927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xF747EF80]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77F2760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8EF5F80]
.text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xA72AA280, 0x7B1C, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 11870000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 11870087
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 11870076
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 11870F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 1187005B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 1187004A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 118700D0
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 118700BF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 11870F41
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 11870F52
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 118700F5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 11870FC3
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 11870FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 118700A2
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 11870FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 11870025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 11870F63
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 11570014
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegCreateKeyExW 77DD776C 5 Bytes JMP 1157005B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegOpenKeyExA 77DD7852 5 Bytes JMP 11570FCD
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegOpenKeyW 77DD7946 5 Bytes JMP 11570FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 11570040
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegOpenKeyA 77DDEFC8 5 Bytes JMP 11570FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegCreateKeyW 77DFBA55 5 Bytes JMP 1157002F
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] ADVAPI32.DLL!RegCreateKeyA 77DFBCF3 5 Bytes JMP 11570FA8
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] MSVCRT.DLL!_wsystem 77C2931E 5 Bytes JMP 00DC0064
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] MSVCRT.DLL!system 77C293C7 5 Bytes JMP 00DC0053
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] MSVCRT.DLL!_creat 77C2D40F 5 Bytes JMP 00DC0FE3
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] MSVCRT.DLL!_open 77C2F566 5 Bytes JMP 00DC0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] MSVCRT.DLL!_wcreat 77C2FC9B 5 Bytes JMP 00DC0042
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] MSVCRT.DLL!_wopen 77C30055 5 Bytes JMP 00DC001D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[272] WS2_32.dll!socket 11104211 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F9E
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40FC0
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C4007D
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40051
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C400C9
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C400B8
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40F5C
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C400FF
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C4011A
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40062
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40014
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40F8D
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40036
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40025
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C400E4
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F68
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F79
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30F8A
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FA3
.text C:\WINDOWS\system32\svchost.exe[584] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C2002E
.text C:\WINDOWS\system32\svchost.exe[584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C2001D
.text C:\WINDOWS\system32\svchost.exe[584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FE3
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F35
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F46
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700F3
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700AE
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F6F
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA8
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB9
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050018
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050033
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D000BF
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D000A4
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00089
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D0006C
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00040
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F88
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D000D0
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D000F5
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00F5C
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00F4B
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D00051
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00FAF
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D00F6D
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0FA8
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0065
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CF004A
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF002F
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60FA6
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60031
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60FB7
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FE3
.text C:\WINDOWS\system32\lsass.exe[860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50F62
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F73
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50F84
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B5004D
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50FB2
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B50F2A
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50F3B
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50EED
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50EFE
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B500AB
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B50FA1
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B50072
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50FCD
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B50FDE
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B50F0F
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B4002C
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B40FA2
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B40011
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B40069
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B4004E
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B4003D
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30053
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B30FD2
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30027
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30FE3
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30038
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B3000C
.text C:\WINDOWS\system32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B20FE5
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0075
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE005A
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0F76
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0033
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0011
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F4A
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0092
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00BE
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F25
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00D9
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0022
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FDB
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F65
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FAF
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FC0
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE00A3
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD0039
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD0F86
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD0FDE
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD0FA1
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0FBC
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0FCD
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0049
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0FBE
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC001D
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0038
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB0000
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02AF0000
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02AF009A
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02AF0089
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02AF0FA5
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02AF0FC0
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02AF0047
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02AF0F52
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02AF0F6D
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02AF00C9
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02AF0F30
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02AF00E4
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02AF0062
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02AF0011
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02AF0F8A
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02AF002C
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02AF0FDB
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02AF0F41
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 026C0FE5
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 026C0087
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 026C0036
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 026C0011
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 026C0FCA
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 026C0000
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 026C006C
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 026C0051
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026B0025
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 026B0F9A
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026B0FBC
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026B0000
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026B0FAB
.text C:\WINDOWS\System32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026B0FD7
.text C:\WINDOWS\System32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 026A0FEF
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02690000
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02690011
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0269002C
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02690047
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B004C
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F61
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F72
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F83
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B007F
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B006E
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F0B
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F26
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00B5
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0F94
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B005D
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0FAF
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B009A
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FC3
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F97
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0014
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0FA8
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A004A
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0039
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790FBC
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790011
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FD7
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10076
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10065
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10F81
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10F9E
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FAF
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C100A4
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10087
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F37
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C100D0
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10F26
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10040
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F66
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FC0
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C100BF
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00FAF
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C0002F
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C0006C
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C00FC0
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00051
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF005D
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FC8
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF001D
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF002E
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F86
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0FA1
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE007B
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FB2
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0039
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00BD
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F75
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F53
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00EC
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0107
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0096
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE001E
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F64
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930014
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006C
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093005B
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920070
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920055
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920029
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092003A
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900047
.text C:\WINDOWS\system32\svchost.exe[1528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0082
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0067
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A004A
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00CB
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00BA
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0101
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F68
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A011C
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0011
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A009D
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[3188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00DC
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290036
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029005B
.text C:\WINDOWS\Explorer.EXE[3188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[3188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FB2
.text C:\WINDOWS\Explorer.EXE[3188] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0033
.text C:\WINDOWS\Explorer.EXE[3188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FCD
.text C:\WINDOWS\Explorer.EXE[3188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[3188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0022
.text C:\WINDOWS\Explorer.EXE[3188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\Explorer.EXE[3188] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3188] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3188] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C001B
.text C:\WINDOWS\Explorer.EXE[3188] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[3188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 023E0000
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F85
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A007A
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F96
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005F
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0033
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B0
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0095
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F2B
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F1A
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A004E
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F6A
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0022
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[3540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F4D
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029000A
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F79
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FB9
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290036
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F9E
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\explorer.exe[3540] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029001B
.text C:\WINDOWS\explorer.exe[3540] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\explorer.exe[3540] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A003A
.text C:\WINDOWS\explorer.exe[3540] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\explorer.exe[3540] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A000C
.text C:\WINDOWS\explorer.exe[3540] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0029
.text C:\WINDOWS\explorer.exe[3540] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\explorer.exe[3540] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C000A
.text C:\WINDOWS\explorer.exe[3540] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C001B
.text C:\WINDOWS\explorer.exe[3540] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C002C
.text C:\WINDOWS\explorer.exe[3540] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0FD1
.text C:\WINDOWS\explorer.exe[3540] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0000
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F68
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F83
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F94
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0051
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0078
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F06
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F2B
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00BA
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0036
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A000A
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F57
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B
.text C:\WINDOWS\explorer.exe[4016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00A9
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FAF
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290040
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FCA
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F83
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290025
.text C:\WINDOWS\explorer.exe[4016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290F94
.text C:\WINDOWS\explorer.exe[4016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F97
.text C:\WINDOWS\explorer.exe[4016] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB2
.text C:\WINDOWS\explorer.exe[4016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD7
.text C:\WINDOWS\explorer.exe[4016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[4016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0022
.text C:\WINDOWS\explorer.exe[4016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\explorer.exe[4016] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[4016] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0011
.text C:\WINDOWS\explorer.exe[4016] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C002C
.text C:\WINDOWS\explorer.exe[4016] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0047
.text C:\WINDOWS\explorer.exe[4016] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:15 PM

Posted 04 February 2010 - 04:42 PM

Hi jeswald,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 jeswald

jeswald
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 04 February 2010 - 07:56 PM

Thanks for your help. The combofix log is enclosed below.

One thing you'll notice in the "Files Created" section of the log is that the iaStor.sys file was replaced. Before I contacted BleepingComputer I tried something else - I overwrote the existing (corrupted) iaStor.sys with a copy from another machine, making it read-only. That did seem to help my symptoms. I'm not making any changes now other than what you direct.

J

=========================

ComboFix 10-02-04.03 - Jesse 02/04/2010 19:22:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2308 [GMT -5:00]
Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
C:\s
c:\windows\system32\_000233_.tmp.dll
c:\windows\system32\_003312_.tmp.dll
c:\windows\system32\_003313_.tmp.dll
c:\windows\system32\_003314_.tmp.dll
c:\windows\system32\_003315_.tmp.dll
c:\windows\system32\_003322_.tmp.dll
c:\windows\system32\_003323_.tmp.dll
c:\windows\system32\_003324_.tmp.dll
c:\windows\system32\_003325_.tmp.dll
c:\windows\system32\_003326_.tmp.dll
c:\windows\system32\_003327_.tmp.dll
c:\windows\system32\_003328_.tmp.dll
c:\windows\system32\_003329_.tmp.dll
c:\windows\system32\_003330_.tmp.dll
c:\windows\system32\_003331_.tmp.dll
c:\windows\system32\_003332_.tmp.dll
c:\windows\system32\_003333_.tmp.dll
c:\windows\system32\_003334_.tmp.dll
c:\windows\system32\_003335_.tmp.dll
c:\windows\system32\_003337_.tmp.dll
c:\windows\system32\_003340_.tmp.dll
c:\windows\system32\_003341_.tmp.dll
c:\windows\system32\_003345_.tmp.dll
c:\windows\system32\_003346_.tmp.dll
c:\windows\system32\_003347_.tmp.dll
c:\windows\system32\_003348_.tmp.dll
c:\windows\system32\_003349_.tmp.dll
c:\windows\system32\_003350_.tmp.dll
c:\windows\system32\_003351_.tmp.dll
c:\windows\system32\_003352_.tmp.dll
c:\windows\system32\_003353_.tmp.dll
c:\windows\system32\_003354_.tmp.dll
c:\windows\system32\_003355_.tmp.dll
c:\windows\system32\_003356_.tmp.dll
c:\windows\system32\_003358_.tmp.dll
c:\windows\system32\_003359_.tmp.dll
c:\windows\system32\_003360_.tmp.dll
c:\windows\system32\_003361_.tmp.dll
c:\windows\system32\_003362_.tmp.dll
c:\windows\system32\_003363_.tmp.dll
c:\windows\system32\_003364_.tmp.dll
c:\windows\system32\_003367_.tmp.dll
c:\windows\system32\_003368_.tmp.dll
c:\windows\system32\_003369_.tmp.dll
c:\windows\system32\_003370_.tmp.dll
c:\windows\system32\_003371_.tmp.dll
c:\windows\system32\_003373_.tmp.dll
c:\windows\system32\_003374_.tmp.dll
c:\windows\system32\_003375_.tmp.dll
c:\windows\system32\_003377_.tmp.dll
c:\windows\system32\_003380_.tmp.dll
c:\windows\system32\_003381_.tmp.dll
c:\windows\system32\_003385_.tmp.dll
c:\windows\system32\_003386_.tmp.dll
c:\windows\system32\_003388_.tmp.dll
c:\windows\system32\_003390_.tmp.dll
c:\windows\system32\_003391_.tmp.dll
c:\windows\system32\_003393_.tmp.dll
c:\windows\system32\_003394_.tmp.dll
c:\windows\system32\_003395_.tmp.dll
c:\windows\system32\_003396_.tmp.dll
c:\windows\system32\_003399_.tmp.dll
c:\windows\system32\_003400_.tmp.dll
c:\windows\system32\_003401_.tmp.dll
c:\windows\system32\_003402_.tmp.dll
c:\windows\system32\_003403_.tmp.dll
c:\windows\system32\_003408_.tmp.dll
c:\windows\system32\_003410_.tmp.dll
c:\windows\system32\_003411_.tmp.dll
c:\windows\system32\_004896_.tmp.dll
c:\windows\system32\_004897_.tmp.dll
c:\windows\system32\_004898_.tmp.dll
c:\windows\system32\_004899_.tmp.dll
c:\windows\system32\_004906_.tmp.dll
c:\windows\system32\_004907_.tmp.dll
c:\windows\system32\_004908_.tmp.dll
c:\windows\system32\_004910_.tmp.dll
c:\windows\system32\_004911_.tmp.dll
c:\windows\system32\_004914_.tmp.dll
c:\windows\system32\_004915_.tmp.dll
c:\windows\system32\_004916_.tmp.dll
c:\windows\system32\_004917_.tmp.dll
c:\windows\system32\_004918_.tmp.dll
c:\windows\system32\_004919_.tmp.dll
c:\windows\system32\_004921_.tmp.dll
c:\windows\system32\_004922_.tmp.dll
c:\windows\system32\_004923_.tmp.dll
c:\windows\system32\_004924_.tmp.dll
c:\windows\system32\_004925_.tmp.dll
c:\windows\system32\_004926_.tmp.dll
c:\windows\system32\_004927_.tmp.dll
c:\windows\system32\_004929_.tmp.dll
c:\windows\system32\_004930_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004933_.tmp.dll
c:\windows\system32\_004934_.tmp.dll
c:\windows\system32\_004935_.tmp.dll
c:\windows\system32\_004936_.tmp.dll
c:\windows\system32\_004937_.tmp.dll
c:\windows\system32\_004938_.tmp.dll
c:\windows\system32\_004939_.tmp.dll
c:\windows\system32\_004940_.tmp.dll
c:\windows\system32\_004941_.tmp.dll
c:\windows\system32\_004942_.tmp.dll
c:\windows\system32\_004943_.tmp.dll
c:\windows\system32\_004944_.tmp.dll
c:\windows\system32\_004946_.tmp.dll
c:\windows\system32\_004947_.tmp.dll
c:\windows\system32\_004948_.tmp.dll
c:\windows\system32\_004949_.tmp.dll
c:\windows\system32\_004950_.tmp.dll
c:\windows\system32\_004951_.tmp.dll
c:\windows\system32\_004952_.tmp.dll
c:\windows\system32\_004953_.tmp.dll
c:\windows\system32\_004954_.tmp.dll
c:\windows\system32\_004955_.tmp.dll
c:\windows\system32\_004956_.tmp.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004958_.tmp.dll
c:\windows\system32\_004959_.tmp.dll
c:\windows\system32\_004960_.tmp.dll
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004962_.tmp.dll
c:\windows\system32\_004963_.tmp.dll
c:\windows\system32\_004964_.tmp.dll
c:\windows\system32\_004965_.tmp.dll
c:\windows\system32\_004966_.tmp.dll
c:\windows\system32\_004967_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004970_.tmp.dll
c:\windows\system32\_004971_.tmp.dll
c:\windows\system32\_004972_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004974_.tmp.dll
c:\windows\system32\_004975_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004978_.tmp.dll
c:\windows\system32\_004979_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004982_.tmp.dll
c:\windows\system32\_004983_.tmp.dll
c:\windows\system32\_004984_.tmp.dll
c:\windows\system32\_004985_.tmp.dll
c:\windows\system32\_004987_.tmp.dll
c:\windows\system32\_004988_.tmp.dll
c:\windows\system32\_004989_.tmp.dll
c:\windows\system32\_004990_.tmp.dll
c:\windows\system32\_004991_.tmp.dll
c:\windows\system32\_004992_.tmp.dll
c:\windows\system32\_004993_.tmp.dll
c:\windows\system32\_004995_.tmp.dll
c:\windows\system32\_004996_.tmp.dll
c:\windows\system32\_004997_.tmp.dll
c:\windows\system32\_004998_.tmp.dll
c:\windows\system32\_004999_.tmp.dll
c:\windows\system32\_005000_.tmp.dll
c:\windows\system32\_005001_.tmp.dll
c:\windows\system32\_005002_.tmp.dll
c:\windows\system32\_005003_.tmp.dll
c:\windows\system32\_005005_.tmp.dll
c:\windows\system32\_005006_.tmp.dll
c:\windows\system32\_005007_.tmp.dll
c:\windows\system32\_005008_.tmp.dll
c:\windows\system32\_005009_.tmp.dll
c:\windows\system32\_005010_.tmp.dll
c:\windows\system32\_005011_.tmp.dll
c:\windows\system32\_005012_.tmp.dll
c:\windows\system32\_005013_.tmp.dll
c:\windows\system32\_005014_.tmp.dll
c:\windows\system32\_005015_.tmp.dll
c:\windows\system32\_005016_.tmp.dll
c:\windows\system32\_005017_.tmp.dll
c:\windows\system32\_005018_.tmp.dll
c:\windows\system32\_005019_.tmp.dll
c:\windows\system32\_005020_.tmp.dll
c:\windows\system32\_005021_.tmp.dll
c:\windows\system32\_005022_.tmp.dll
c:\windows\system32\_005023_.tmp.dll
c:\windows\system32\_005024_.tmp.dll
c:\windows\system32\_005025_.tmp.dll
c:\windows\system32\_005027_.tmp.dll
c:\windows\system32\_005028_.tmp.dll
c:\windows\system32\_005029_.tmp.dll
c:\windows\system32\_005030_.tmp.dll
c:\windows\system32\_005031_.tmp.dll
c:\windows\system32\_005032_.tmp.dll
c:\windows\system32\_005034_.tmp.dll
c:\windows\system32\_005035_.tmp.dll
c:\windows\system32\_005036_.tmp.dll
c:\windows\system32\_005037_.tmp.dll
c:\windows\system32\_005038_.tmp.dll
c:\windows\system32\_005039_.tmp.dll
c:\windows\system32\_005040_.tmp.dll
c:\windows\system32\_005041_.tmp.dll
c:\windows\system32\_005042_.tmp.dll
c:\windows\system32\_005043_.tmp.dll
c:\windows\system32\_005044_.tmp.dll
c:\windows\system32\_005045_.tmp.dll
c:\windows\system32\_005046_.tmp.dll
c:\windows\system32\_005047_.tmp.dll
c:\windows\system32\_005048_.tmp.dll
c:\windows\system32\_005049_.tmp.dll
c:\windows\system32\_005050_.tmp.dll
c:\windows\system32\_005051_.tmp.dll
c:\windows\system32\_005052_.tmp.dll
c:\windows\system32\_005053_.tmp.dll
c:\windows\system32\_005054_.tmp.dll
c:\windows\system32\_005055_.tmp.dll
c:\windows\system32\_005057_.tmp.dll
c:\windows\system32\_005058_.tmp.dll
c:\windows\system32\_005059_.tmp.dll
c:\windows\system32\_005060_.tmp.dll
c:\windows\system32\_005061_.tmp.dll
c:\windows\system32\_005062_.tmp.dll
c:\windows\system32\_005063_.tmp.dll
c:\windows\system32\_005064_.tmp.dll
c:\windows\system32\_005066_.tmp.dll
c:\windows\system32\_005068_.tmp.dll
c:\windows\system32\_005069_.tmp.dll
c:\windows\system32\_005070_.tmp.dll
c:\windows\system32\_005071_.tmp.dll
c:\windows\system32\_005072_.tmp.dll
c:\windows\system32\_005073_.tmp.dll
c:\windows\system32\_005074_.tmp.dll
c:\windows\system32\_005075_.tmp.dll
c:\windows\system32\_005076_.tmp.dll
c:\windows\system32\_005077_.tmp.dll
c:\windows\system32\_005078_.tmp.dll
c:\windows\system32\_005079_.tmp.dll
c:\windows\system32\_005080_.tmp.dll
c:\windows\system32\_005081_.tmp.dll
c:\windows\system32\_005082_.tmp.dll
c:\windows\system32\_005083_.tmp.dll
c:\windows\system32\_005086_.tmp.dll
c:\windows\system32\_005088_.tmp.dll
c:\windows\system32\_005089_.tmp.dll
c:\windows\system32\_005091_.tmp.dll
c:\windows\system32\_005093_.tmp.dll
c:\windows\system32\_005094_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-04 02:54 . 2008-12-11 23:27 328728 ----a-r- c:\windows\system32\drivers\iaStor.sys
2010-02-04 02:20 . 2010-02-04 02:21 -------- d-----w- c:\temp\possiblyCorrupted
2010-02-04 02:19 . 2008-04-14 04:10 96512 ----a-r- c:\temp\atapi.sys
2010-02-04 02:19 . 2008-12-11 23:27 328728 ----a-r- c:\temp\iaStor.sys
2010-02-04 00:06 . 2010-02-04 00:06 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-02 00:37 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 16:11 . 2008-04-14 09:42 135680 ----a-w- c:\temp\taskmgr_ja.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 23:34 . 2007-05-19 20:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-02 00:37 . 2010-01-27 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 00:00 . 2004-11-29 12:14 -------- d-----w- c:\program files\Common Files\Java
2010-02-01 23:58 . 2010-02-01 23:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 23:58 . 2004-11-29 12:14 -------- d-----w- c:\program files\Java
2010-01-27 18:43 . 2010-01-27 18:43 130 ----a-w- c:\windows\system32\tablet.dat
2010-01-27 17:08 . 2010-01-27 17:08 -------- d-----w- c:\documents and settings\Jesse\Application Data\Malwarebytes
2010-01-27 17:08 . 2010-01-27 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 20:44 . 2007-04-04 02:10 -------- d-----w- c:\documents and settings\Jesse\Application Data\Skype
2010-01-07 23:12 . 2009-03-22 15:29 -------- d-----w- c:\program files\McAfee
2010-01-07 21:07 . 2010-02-02 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 12:20 . 2010-01-02 12:20 353 ----a-w- C:\ntbackup.cmd
2010-01-02 03:22 . 2010-01-02 03:22 -------- d-----w- c:\program files\Evernote
2010-01-02 03:22 . 2004-11-29 12:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 19:14 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 16:59 . 2009-12-19 16:59 -------- d-----w- c:\program files\Citrix
2009-12-19 16:58 . 2009-12-19 16:58 70984 ----a-w- c:\documents and settings\Jesse\g2mdlhlpx.exe
2008-06-18 01:54 . 2008-06-17 00:38 24 -csha-w- c:\windows\SD2C5A3FC.tmp
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\SYSTEM32\AVSredirect.dll
2008-11-26 23:01 . 2007-12-27 11:43 88 --sh--r- c:\windows\SYSTEM32\EA2D0A5A27.sys
2009-02-14 22:15 . 2007-12-27 11:43 2254 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\LaunchPd.exe" [2005-06-15 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-06-15 53248]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-05-10 1482752]
"OfotoNow USB Detection"="c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL" [2002-11-05 77824]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-10-31 2259904]
"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-06-15 36864]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-08-18 307200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\fcrybis1.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [2007-03-23 2526776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"Corel Painter Essentials 21a"="c:\program files\Corel\Corel Painter Essentials 2\registration.exe" [2004-03-18 733184]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"M-Audio Taskbar Icon"="c:\windows\System32\MAFWTray.exe" [2008-03-03 252424]
"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2008-03-03 252424]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-06 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-1-25 25214]
EZbus Tray Menu.lnk - c:\program files\Event\Ezbus\EZbus Tray Menu.exe [2004-12-8 131072]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-7-1 151552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R0 sonypvl3;sonypvl3;c:\windows\SYSTEM32\DRIVERS\sonypvl3.sys [7/1/2005 9:41 PM 18110]
R1 sonypvf3;sonypvf3;c:\windows\SYSTEM32\DRIVERS\sonypvf3.sys [7/1/2005 9:41 PM 619390]
R1 sonypvt3;sonypvt3;c:\windows\SYSTEM32\DRIVERS\sonypvt3.sys [7/1/2005 9:41 PM 423454]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/22/2009 10:31 AM 93320]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\SYSTEM32\DRIVERS\aticxcap.sys [3/30/2005 10:22 AM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\SYSTEM32\DRIVERS\aticxtun.sys [3/30/2005 10:22 AM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\SYSTEM32\DRIVERS\aticxxbr.sys [3/30/2005 10:22 AM 9088]
S1 sonypvd3;Sony DVD Handycam;c:\windows\SYSTEM32\DRIVERS\sonypvd3.sys [7/1/2005 9:41 PM 64964]
S1 xpnrhjgk;xpnrhjgk;\??\c:\windows\system32\drivers\xpnrhjgk.sys --> c:\windows\system32\drivers\xpnrhjgk.sys [?]
S3 ezbus;ezbus;c:\windows\SYSTEM32\DRIVERS\ezbus.sys [12/8/2004 3:38 PM 20228]
S3 MAFW;MAFW;c:\windows\SYSTEM32\DRIVERS\mafw.sys [2/14/2009 8:27 PM 193032]
S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\SYSTEM32\DRIVERS\ymidusbw.sys [11/25/2007 9:34 AM 32720]
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\backuptof.job
- C:\backuptof.cmd [2006-03-21 02:22]

2010-02-01 c:\windows\Tasks\DadsOfficeBackupJob.job
- c:\windows\system32\NTBACKUP.EXE [2004-08-12 09:42]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-22 16:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-22 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\fcrybis1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com
FF - component: c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\fcrybis1.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\fcrybis1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\fcrybis1.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-CloneDVD2 - c:\program files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe
AddRemove-Dell Photo Printer 720 - c:\windows\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE
AddRemove-Groove Mechanic - c:\program files\Coyote\GrooveMechanic25c\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 19:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3795351105-4198729972-3513046176-1007\Software\Zepter Software\RegLib*7023fba2\AnyDVD/1]
"1"=dword:445d492c
"2"=dword:448c0e1c

[HKEY_USERS\S-1-5-21-3795351105-4198729972-3513046176-1007\Software\Zepter Software\RegLib*7023fba2\CloneDVD/2]
"1"=dword:445ddc0d
"2"=dword:44705ecf

[HKEY_USERS\S-1-5-21-3795351105-4198729972-3513046176-1007\Software\Zepter Software\RegLib*7023fba2\CloneDVD2/2]
"1"=dword:445ddc0d
"2"=dword:450b551a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2636)
c:\windows\system32\WININET.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\program files\Google\deskbar-0.5.95.0\ggtaskbar.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Google\deskbar-0.5.95.0\ggviewer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-04 19:46:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-05 00:46

Pre-Run: 11,924,090,880 bytes free
Post-Run: 12,029,661,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4FBD8DCCF7078C3D6E2C356AE0E4C36E


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:15 PM

Posted 05 February 2010 - 04:07 AM

Thanks for the feedback.
  1. Please tell me if you yourself or any software you know has created a scheduled back up (named backuptof) in the Scheduled folder which runs the following file?

    C:\backuptof.cmd

  2. Go to start > Run copy and paste the following line in the run box and click OK:

    sc delete xpnrhjgk

    A window flashes it is normal.

  3. You Adobe Acrobat is outdated. I strongly recommend you to update your Adobe Acrobat to the latest version to avoid being infected through its security holes.

  4. You have the latest version of Java (Java 6 Update 18) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_06


  5. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt. Also tell me how is your computer running.

Edited by farbar, 05 February 2010 - 04:14 AM.


#5 jeswald

jeswald
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 05 February 2010 - 11:59 AM

Hello F1rbar,

1. Backuptof is legitimate. It is one of my backup scripts.

2. Done

3. I will look into upgrading Acrobat.

4. Done

5. Done. See DDS log below. The machine seems OK - not redirecting anymore since I replaced the iaStor.sys file (see my earlier post).

Jesse

=======================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Jesse at 11:47:55.20 on Fri 02/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2319 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\Google\deskbar-0.5.95.0\ggviewer.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Event\Ezbus\EZbus Tray Menu.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\LaunchPd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [OfotoNow USB Detection] c:\windows\system32\rundll32.exe c:\progra~1\ofoto\ofotonow\OFUSBS.DLL,WatchForConnection OfotoNow
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FFTI] c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\{b13721c7-f507-4982-b2e5-502a71474fed}\ffti.exe /verysilent /suppressmsgboxes /norestart /destpath="c:\documents and settings\jesse\application data\mozilla\firefox\profiles/fcrybis1.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\ATIPTAXX.EXE
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Corel Painter Essentials 21a] c:\program files\corel\corel painter essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=020610 serial=PE02CBX-0000003-NMD lang=EN
mRun: [SSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O11 "IP_10.0.1.1" /M "Stylus CX7800"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\MAFWTray.exe
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ezbust~1.lnk - c:\program files\event\ezbus\EZbus Tray Menu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_18.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jesse\applic~1\mozilla\firefox\profiles\fcrybis1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com
FF - component: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\fcrybis1.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2005-7-1 18110]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2005-7-1 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2005-7-1 423454]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-22 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-22 144704]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]
R3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2009-2-14 193032]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-22 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-22 40552]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [2005-7-1 64964]
S3 ezbus;ezbus;c:\windows\system32\drivers\ezbus.sys [2004-12-8 20228]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-22 34248]
S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2007-11-25 32720]

=============== Created Last 30 ================

2010-02-05 00:17:33 0 d-sha-r- C:\cmdcons
2010-02-05 00:16:48 98816 ----a-w- c:\windows\sed.exe
2010-02-05 00:16:48 77312 ----a-w- c:\windows\MBR.exe
2010-02-05 00:16:48 261632 ----a-w- c:\windows\PEV.exe
2010-02-05 00:16:48 161792 ----a-w- c:\windows\SWREG.exe
2010-02-04 02:54:42 328728 ----a-r- c:\windows\system32\drivers\iaStor.sys
2010-02-04 02:20:15 0 d-----w- c:\temp\possiblyCorrupted
2010-02-04 02:19:18 96512 ----a-r- c:\temp\atapi.sys
2010-02-04 02:19:16 328728 ----a-r- c:\temp\iaStor.sys
2010-02-04 00:06:24 0 d--h--w- c:\windows\system32\GroupPolicy
2010-02-02 00:37:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 00:37:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 23:58:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-01 23:58:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 05:24:46 0 d-----w- c:\windows\system32\MpEngineStore
2010-01-27 23:54:52 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-27 18:58:57 0 d-----w- c:\temp\ProcessExplorer
2010-01-27 18:43:44 130 ----a-w- c:\windows\system32\tablet.dat
2010-01-27 18:41:46 14859 ----a-w- c:\windows\system32\Config.MPF
2010-01-27 17:44:45 2206 ----a-w- c:\windows\system32\wpa.dbl
2010-01-27 17:08:17 0 d-----w- c:\docume~1\jesse\applic~1\Malwarebytes
2010-01-27 17:08:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-27 17:08:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 16:11:43 135680 ----a-w- c:\temp\taskmgr_ja.exe

==================== Find3M ====================

2010-01-02 12:20:12 353 ----a-w- C:\ntbackup.cmd
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 16:58:58 70984 ----a-w- c:\documents and settings\jesse\g2mdlhlpx.exe
2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2008-11-26 23:01:08 88 --sh--r- c:\windows\system32\EA2D0A5A27.sys
2009-02-14 22:15:30 2254 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-03-22 14:49:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032220090323\index.dat

============= FINISH: 11:49:05.71 ===============


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:15 PM

Posted 05 February 2010 - 12:45 PM

It looks all good. thumbup2.gif

It is important to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


Happy Surfing Jesse. smile.gif

#7 jeswald

jeswald
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 05 February 2010 - 03:34 PM

OK, here's the odd thing ...

When I went to run Combofix, it was gone. I figured out that my antivirus software had removed it with the following message:

Detection name: Artemis!96F4DB1AAEAF (Trojan), Artemis!96F4DB1AAEAF (Trojan)
File: C:\Documents and Settings\Jesse\Desktop\ComboFix.exe


Why would my anitvirus software have tagged Combofix as a trojan??? ohmy.gif

Jesse

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:15 PM

Posted 05 February 2010 - 05:36 PM

This is a question to be asked from your antivirus vendor. It is known to us that McAfee flags and removes ComboFix. Combofix is hosted by BC.
See the inconsistency: http://www.siteadvisor.com/sites/bleepingc...er.com/summary/

At the support forums of top antiviruses, like Kaspersky, they advise running ComboFix and refer people to BC.

Please download ComboFix, disable AV and run the command to uninstall ComboFix. Then enable your AV and let it do whatever it likes.

Also think twice when you wanted to extend McAfee and ask them why instead of the bad-guy it catches the good-guy? laugh.gif

#9 jeswald

jeswald
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 05 February 2010 - 06:23 PM

OK, as long as this is a known problem. You have to understand, I've been running programs on my computer based on recommendations from total strangers, so I got a little nervous when one of them was flagged as malware itself.

And yes, I have lost a lot of faith in McAfee.

Thanks for your help!

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:15 PM

Posted 05 February 2010 - 06:38 PM

I understand your concern.

When you pick up an antivirus you need to do a little research before paying for it. Among those who come here for assistance with a paid antivirus I see McAfee is the number one spot for being most installed. In other words McAfee doesn't do a descent job.

Now try this one and see how McAfee-Artemis flags ComboFix while the top antiviruses don't.

Download Combofix to your desktop.

Click on this link--> virustotal

Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

c:\documents and settings\Jesse\Desktop\ComboFix.exe

If the file is analyzed before, click Reanalyse File Now button.

Please tell me if you have any question before closing the topic.


#11 jeswald

jeswald
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 05 February 2010 - 08:03 PM

Interesting: 7 of 40 virus scanners identified a problem with ComboFix (see below) -- but McAfee wasn't one of them! I guess the lesson I've learned is that there is no perfect antivirus program. I think I need to enhance my anti-virus/malware strategy.

Again, many thanks for your help. No more questions - feel free to close the topic.

Regards,

Jesse

=================

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.06 -
AhnLab-V3 5.0.0.2 2010.02.05 -
AntiVir 7.9.1.158 2010.02.05 -
Antiy-AVL 2.0.3.7 2010.02.05 -
Authentium 5.2.0.5 2010.02.05 -
Avast 4.8.1351.0 2010.02.05 -
AVG 9.0.0.730 2010.02.05 -
BitDefender 7.2 2010.02.06 -
CAT-QuickHeal 10.00 2010.02.05 -
ClamAV 0.96.0.0-git 2010.02.05 Pua.Hideexec
Comodo 3835 2010.02.06 ApplicUnsaf.Win32.Hide.~AB
DrWeb 5.0.1.12222 2010.02.06 -
eSafe 7.0.17.0 2010.02.04 -
eTrust-Vet 35.2.7286 2010.02.05 -
F-Prot 4.5.1.85 2010.02.05 -
F-Secure 9.0.15370.0 2010.02.05 Suspicious:W32/Riskware!Online
Fortinet 4.0.14.0 2010.02.06 -
GData 19 2010.02.06 -
Ikarus T3.1.1.80.0 2010.02.05 -
Jiangmin 13.0.900 2010.02.05 Backdoor/RBot.oqm
K7AntiVirus 7.10.967 2010.02.05 -
Kaspersky 7.0.0.125 2010.02.06 -
McAfee 5883 2010.02.05 -
McAfee+Artemis 5883 2010.02.05 -
McAfee-GW-Edition 6.8.5 2010.02.05 -
Microsoft 1.5406 2010.02.06 -
NOD32 4840 2010.02.06 -
Norman 6.04.03 2010.02.05 -
nProtect 2009.1.8.0 2010.02.05 -
Panda 10.0.2.2 2010.02.05 Trj/Nabload.DPS
PCTools 7.0.3.5 2010.02.05 Application.NirCmd
Prevx 3.0 2010.02.06 -
Rising 22.33.04.04 2010.02.05 -
Sophos 4.50.0 2010.02.06 NirCmd
Sunbelt 3.2.1858.2 2010.02.06 -
TheHacker 6.5.1.0.181 2010.02.05 -
TrendMicro 9.120.0.1004 2010.02.05 -
VBA32 3.12.12.1 2010.02.05 -
ViRobot 2010.2.5.2174 2010.02.05 -
VirusBuster 5.0.21.0 2010.02.05 -

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:15 PM

Posted 05 February 2010 - 09:29 PM

It was a few weeks ego I checked it and McAfee+Artemis was one the flagging ones. Looks they have made some improvements.

Those naming Application.NirCmd or NirCmd are right as that is one of the tools used by ComboFix. The tool is used to make changes and ComboFix uses it to remove malware, malware developers might use it for malicious purposes. It is like a gun, in good or bad hands.

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users