Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
17 replies to this topic

#1 clairecobra

clairecobra

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 May 2010 - 08:55 AM

Google Redirect Virus, have run MBAM, SuperAntiSpyware, Hitman, to no avail
I originally posted in "Am I infected? What do I do?" with topic "Google Redirect / can't run safe mode"


-----DDS--------



DDS (Ver_10-03-17.01) - NTFSx86
Run by Claire-bear at 19:39:44.46 on Tue 05/18/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.463 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\kass.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Claire-bear\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Claire-bear\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Claire-bear\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uWindow Title = Windows Internet Explorer provided by Comcast
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\mozilla firefox\orbitdownloader\orbitcth.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [Google Update] "c:\documents and settings\claire-bear\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [gotnewupdate000.exe] c:\documents and settings\claire-bear\application data\69f7d536a17e736e352f8c6820dc01f4\gotnewupdate000.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "realsched.exe" -osboot
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DLCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCGtime.dll,_RunDLLEntry@16
mRun: [dlcgmon.exe] "c:\program files\dell aio 810\dlcgmon.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [KeyAccess] kass.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Download by Orbit - c:\program files\mozilla firefox\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\mozilla firefox\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\mozilla firefox\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\mozilla firefox\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://0-site.ebrary.com.luna.wellesley.edu/lib/wellesley/support/plugins/ebraryRdr.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: KATRACK.DLL rodiwoza.dll c:\windows\system32\lenikohe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnOhffd
LSA: Notification Packages = scecli febepipa.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\claire~1\applic~1\mozilla\firefox\profiles\mai82q6w.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.afreesearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\claire-bear\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\claire-bear\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.afreesearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-23 64288]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-10-23 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 68168]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2008-10-29 1041088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-10-23 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-21 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [2009-5-11 21504]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-2-24 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-2-24 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-2-24 174952]
S0 ocnpa;ocnpa; [x]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-10-23 116864]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 12872]

=============== Created Last 30 ================

2010-05-18 23:35:17 0 ----a-w- c:\documents and settings\claire-bear\defogger_reenable
2010-05-18 04:19:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 04:19:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 05:15:42 1442 ----a-w- c:\windows\system32\.crusader
2010-05-15 05:05:50 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-15 05:05:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-15 05:04:59 0 d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 01:02:34 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-13 01:02:34 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-13 00:59:38 0 d-----w- c:\docume~1\claire~1\applic~1\ATManager
2010-05-13 00:57:49 0 d-----w- c:\docume~1\claire~1\applic~1\69F7D536A17E736E352F8C6820DC01F4
2010-05-12 01:46:33 0 d-----w- c:\program files\common files\Thomson ResearchSoft
2010-05-12 01:44:08 0 d-----w- c:\program files\EndNote X1
2010-04-29 17:40:18 0 d-----w- c:\program files\iTunes
2010-04-29 17:33:52 0 d-----w- c:\program files\Bonjour
2010-04-25 22:55:13 0 d-----w- c:\docume~1\claire~1\applic~1\Softland
2010-04-25 22:54:55 7549 ----a-w- c:\windows\system32\dopdf7.ctm
2010-04-25 22:54:54 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-04-25 22:54:54 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2010-04-25 22:54:46 0 d-----w- c:\program files\Softland

==================== Find3M ====================

2010-04-28 00:21:02 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-21 17:29:42 67728 ---ha-w- c:\windows\system32\mlfcache.dat
2008-09-07 17:17:58 54333208 ----a-w- c:\program files\jdk-1_5_0_16-windows-i586-p.exe
2008-11-08 19:56:55 88 --sh--r- c:\windows\system32\F0AA5F4048.sys
2008-11-08 19:56:57 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:41:24.01 ===============




----GMER-----




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-18 14:35:30
Windows 5.1.2600 Service Pack 3
Running: utlk0kl3.exe; Driver: C:\DOCUME~1\CLAIRE~1\LOCALS~1\Temp\ufldqpoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9BE26A51]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9BE26A7D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0x9BE26A27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x9BE26A67]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9BE26AA9]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86EB7EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 21 May 2010 - 12:49 AM

Hello, clairecobra.
My name is aommaster and I will be helping you with your log.


If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 clairecobra

clairecobra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 23 May 2010 - 11:14 PM

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 23 May 2010 - 11:41 PM

Hi!

Looks like the infection's interfering with you copying and pasting the logs in. Please attach the logs and I'll edit them into your reply smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 clairecobra

clairecobra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 24 May 2010 - 12:33 AM

There seems to be a problem with the log file... I can upload info and gmer with no problem, but when I try to attach the log.txt file, it just hangs on "uploading attachment" forever. Should I repeat the scan? I have no trouble opening log.txt and viewing it in notepad.

info.txt logfile of random's system information tool 1.06 2010-05-23 23:55:10

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Across Lite 2.0-->C:\PROGRA~1\Litsoft\ACROSS~1.0\UNWISE.EXE C:\PROGRA~1\Litsoft\ACROSS~1.0\INSTALL.LOG
Ad-Aware Email Scanner for Outlook-->MsiExec.exe /I{338F08AB-C262-42C7-B000-34DE1A475273}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
AdciliatLze-->MsiExec.exe /I{E1C17D77-6D4F-4628-B23B-50AE5EF12BCA}
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Download Manager-->"C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5 Language Support-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Amazon MP3 Downloader 1.0.9-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
AOL Uninstaller (Choose which Products to Remove)-->C:\Program Files\Common Files\AOL\uninstaller.exe
AOLIcon-->MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Application Support-->MsiExec.exe /I{553255F3-78FD-40F1-A6F8-6882140265FE}
Apple Mobile Device Support-->MsiExec.exe /I{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /X{8A253629-0511-4854-8B4E-46E57E66005C}
Broadcom Management Programs-->MsiExec.exe /I{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D110 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell AIO 810-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dlcgUNST.EXE -NOLICENSE
Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Desktop Doctor-->MsiExec.exe /I{D87149B3-7A1D-4548-9CBF-032B791E5908}
Digital Content Portal-->MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Documentation & Support Launcher-->MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
doPDF 7.1 printer-->"C:\Program Files\Softland\doPDF 7\unins000.exe"
DreamStation DXi2-->C:\WINDOWS\DSDXIRMV.EXE C:\PROGRAM FILES\CAKEWALK\SHARED DXI\AUDIO SIMULATION\DREAMSTATION DXI2
EducateU-->MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon-->MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
EndNote X1-->MsiExec.exe /I{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
FirstClass® Client-->C:\Program Files\InstallShield Installation Information\{5B35C417-2649-11D6-83D1-0050FC01225C}\setup.exe -runfromtemp -l0x0009 -uninst -removeonly
Games, Music, & Photos Launcher-->MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GTK+ Runtime 2.14.7 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /uninstall
Hotfix 2055 for SQL Server 2000 ENU (KB960082)-->"C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$\spuninst\spuninst.exe"
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
Internet Service Offers Launcher-->MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
ISI ResearchSoft - Export Helper-->C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
iTunes-->MsiExec.exe /I{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}
J2SE Development Kit 5.0 Update 16-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150160}
J2SE Runtime Environment 5.0 Update 16-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150160}
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech Audio Echo Cancellation Component-->MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech QuickCam-->MsiExec.exe /X{EC42ED6A-751D-45C0-A4F9-8CD00E4690FC}
Logitech Video Enumerator-->MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Logitech® Camera Driver-->"C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee AntiSpyware Enterprise Module-->"C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
MDL ISIS Draw 2.5 Standalone-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MDL ISIS Draw 2.5\uninst.isu"
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi-->MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHlpDell-->MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Outlook 2003 with Business Contact Manager Update-->MsiExec.exe /I{BA68600E-96D9-4E92-80F2-26B9681B5A63}
Microsoft Office Small Business Edition 2003-->MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ Run Time Lib Setup-->MsiExec.exe /X{AAF4238F-7C29-451D-9925-C753271A5728}
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO-->MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI-->MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Orbit Downloader-->"C:\Program Files\Mozilla Firefox\Orbitdownloader\unins000.exe"
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
Pidgin-->C:\Program Files\Pidgin\pidgin-uninst.exe
PowerDVD 5.7-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Qualxserve Service Agreement-->MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickSet-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTime-->MsiExec.exe /I{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Sassafras K2 Client-->MsiExec.exe /I{E23D1D2C-1762-11D5-A8D2-00C04FA35723}
Scrabble-->C:\WINDOWS\uninst.exe -fc:\Scrabble\DeIsL1.isu -cc:\Scrabble\_ISREG32.DLL
Search Assist-->MsiExec.exe /X{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB976325)-->"C:\WINDOWS\$NtUninstallKB976325$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{09959E11-AD5D-408E-96AF-E3346954D6B8}
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}
Sibelius 3-->C:\PROGRA~1\SIBELI~1\SIBELI~1\UNWISE.EXE C:\PROGRA~1\SIBELI~1\SIBELI~1\INSTALL.LOG
Skypeâ„¢ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD LE-->MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Streaming Media Recorder-->MsiExec.exe /I{8CB313FF-1CC6-4435-9D83-BC898BC221DC}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TBS WMP Plug-in-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{13515135-48BB-4184-8C1F-2FAE0138E200}
Tetris-->"C:\Program Files\Tetris\unins000.exe"
The Sims Deluxe Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\Setup.exe" -l0009
UMVPLStandalone-->MsiExec.exe /X{8AC049F7-1383-45C3-9E7D-F93CA667F9E1}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB976749)-->"C:\WINDOWS\$NtUninstallKB976749$\spuninst\spuninst.exe"
Update for Windows XP (KB978207)-->"C:\WINDOWS\$NtUninstallKB978207$\spuninst\spuninst.exe"
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Viewpoint Manager (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Sound Canvas DXi-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E10E7FC-36CD-4C22-AC20-9E15692E8C2F}\setup.exe" UNINSTALL_XXX
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WebCyberCoach 3.2 Dell-->"C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPcap 3.0-->"C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinSCP 3.7.6-->"C:\Program Files\WinSCP3\unins000.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: VirusScan Enterprise + AntiSpyware Enterprise

======System event log======

Computer Name: CRIMKUS
Event Code: 7901
Message: The At23.job command failed to start due to the following error:
%%2147942402

Record Number: 101483
Source Name: Schedule
Time Written: 20100329220000.000000-240
Event Type: error
User:

Computer Name: CRIMKUS
Event Code: 7901
Message: The At46.job command failed to start due to the following error:
%%2147942402

Record Number: 101482
Source Name: Schedule
Time Written: 20100329210000.000000-240
Event Type: error
User:

Computer Name: CRIMKUS
Event Code: 7901
Message: The At22.job command failed to start due to the following error:
%%2147942402

Record Number: 101481
Source Name: Schedule
Time Written: 20100329210000.000000-240
Event Type: error
User:

Computer Name: CRIMKUS
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001302AA60FC. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 101480
Source Name: Dhcp
Time Written: 20100329205157.000000-240
Event Type: warning
User:

Computer Name: CRIMKUS
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001302AA60FC. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 101477
Source Name: Dhcp
Time Written: 20100329205142.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: CRIMKUS
Event Code: 100
Message: Task Scheduling Error: m->NextScheduledEvent 2125

Record Number: 8151
Source Name: Bonjour Service
Time Written: 20100423101030.000000-240
Event Type: error
User:

Computer Name: CRIMKUS
Event Code: 100
Message: Task Scheduling Error: Continuously busy for more than a second

Record Number: 8150
Source Name: Bonjour Service
Time Written: 20100423101030.000000-240
Event Type: error
User:

Computer Name: CRIMKUS
Event Code: 100
Message: Task Scheduling Error: m->NextScheduledSPRetry 2969

Record Number: 8149
Source Name: Bonjour Service
Time Written: 20100422233856.000000-240
Event Type: error
User:

Computer Name: CRIMKUS
Event Code: 100
Message: Task Scheduling Error: m->NextScheduledEvent 2969

Record Number: 8148
Source Name: Bonjour Service
Time Written: 20100422233856.000000-240
Event Type: error
User:

Computer Name: CRIMKUS
Event Code: 100
Message: Task Scheduling Error: Continuously busy for more than a second

Record Number: 8147
Source Name: Bonjour Service
Time Written: 20100422233856.000000-240
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\MDL Shared\ISIS;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0e08
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-24 00:09:47
Windows 5.1.2600 Service Pack 3
Running: nz140jcu.exe; Driver: C:\DOCUME~1\CLAIRE~1\LOCALS~1\Temp\ufldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF760D87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF760DBFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA0CBFABD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA0CBFAE7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA0CBFA51]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA0CBFA7D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA0CBFB11]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA0CBFA27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA0CBFAD1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA0CBFA67]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA0CBFAA9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA0CBFB27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA0CBFAFB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP A0CBFAFF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A0CBFAC1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A0CBFB15 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A0CBFB2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A0CBFAD5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A0CBFAEB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A0CBFAAD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D8 7 Bytes JMP A0CBFA6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C46 7 Bytes JMP A0CBFA55 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E16 7 Bytes JMP A0CBFA81 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B88 5 Bytes JMP A0CBFA2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\compbatt.sys entry point in ".rsrc" section [0xF79D3214]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01D90000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01D90F21
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01D90F3C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01D90F57
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01D90F72
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01D90F94
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01D9005F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01D90042
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01D90EEB
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01D90084
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01D90ED0
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01D90F83
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01D90FE5
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01D90031
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01D90FAF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01D90FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01D90F06
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D80039
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D8005B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D80FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D80FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D8004A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D8000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01D80FB2
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F8, 89]
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D80FC3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01D7005F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] msvcrt.dll!system 77C293C7 5 Bytes JMP 01D70044
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01D70029
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01D7000C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01D70FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01D70FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D50FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01D60FD4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01D60FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01D60FC3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[144] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01D60FB2
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0F53
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F6E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0F89
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF003C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0FAB
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F25
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF006D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF0EDE
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF0EEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0EC3
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0F9A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FDE
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF0F42
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0FBC
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF0FCD
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0F00
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FC3
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0F61
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0FD4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FE5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0F72
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EE0F8D
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0E, 89]
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0FA8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0042
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED0FB7
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0FC8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0027
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00EC000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00EC0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00EC0FD4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[544] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00EC0FB7
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01390FE5
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01390F37
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01390F52
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0139002C
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01390F6F
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01390F9E
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01390EE4
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01390EFF
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0139007D
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01390058
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01390EC9
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0139001B
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01390FCA
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01390F1C
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0139000A
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01390FB9
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01390047
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0138002C
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01380F94
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0138001B
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01380FE5
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01380FA5
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0138000A
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01380FB6
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [58, 89]
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0138003D
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01370FD9
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!system 77C293C7 5 Bytes JMP 01370064
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01370038
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01370000
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01370049
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01370011
.text C:\WINDOWS\system32\services.exe[628] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01360000
.text C:\WINDOWS\system32\services.exe[628] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01360FE5
.text C:\WINDOWS\system32\services.exe[628] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01360FBE
.text C:\WINDOWS\system32\services.exe[628] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01360FAD
.text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C000A
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010A0FE5
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010A0062
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010A0051
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010A0F77
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010A0F9E
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010A0025
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010A0F26
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010A0F37
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010A0ED5
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010A0EE6
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010A007F
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010A0040
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010A0FCA
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010A0F48
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010A0FB9
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010A000A
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010A0F01
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01090036
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01090FA5
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01090025
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01090FEF
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01090FB6
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01090058
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01090047
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01080070
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!system 77C293C7 5 Bytes JMP 01080FE5
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0108003A
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01080055
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0108001D
.text C:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\lsass.exe[640] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01070FD4
.text C:\WINDOWS\system32\lsass.exe[640] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01070FE5
.text C:\WINDOWS\system32\lsass.exe[640] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0107000A
.text C:\WINDOWS\system32\lsass.exe[640] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0107001B
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F81
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0076
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0065
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0FA8
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0040
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD0F66
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD00A2
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD00C9
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0F3A
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD0F0B
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0091
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD002F
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD0F4B
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0F9E
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC0025
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC000A
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0FB9
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CC005B
.text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC0040
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0066
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0055
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB0029
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB003A
.text C:\WINDOWS\system32\svchost.exe[824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB000C
.text C:\WINDOWS\system32\svchost.exe[824] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[824] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[824] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[824] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00800038
.text C:\WINDOWS\system32\svchost.exe[824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F61
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50056
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50045
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50F7C
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50FA8
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E5008E
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E5007D
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E500A9
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F1A
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E50EF5
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E50F97
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50F50
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50FC3
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50FD4
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E50F35
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FC3
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E4004D
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F86
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40FA1
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40FB2
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E3004E
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30033
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E3000C
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00800FC1
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[992] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[992] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03D3000A
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03D30F81
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03D30080
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03D3006F
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03D3005E
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03D30FB2
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03D300A7
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03D30F5F
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03D30F33
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03D300CC
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03D30F22
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03D30043
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03D30FEF
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03D30F70
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03D30FCD
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03D30FDE
.text C:\WINDOWS\System32\svchost.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03D30F4E
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03D20FC0
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03D20FA5
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03D20011
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03D20000
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03D20062
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03D20FEF
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03D2003D
.text C:\WINDOWS\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03D2002C
.text C:\WINDOWS\System32\svchost.exe[992] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 019C000A
.text C:\WINDOWS\System32\svchost.exe[992] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00CD000A
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03D10FB7
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 03D10042
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03D10FD2
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03D10FEF
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03D10031
.text C:\WINDOWS\System32\svchost.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03D1000C
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 03710000
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 03710FE5
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0371001B
.text C:\WINDOWS\System32\svchost.exe[992] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 03710FC8
.text C:\WINDOWS\System32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02F90000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01110000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01110080
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01110F8B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01110065
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01110054
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01110FC3
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011100A2
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01110091
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011100E9
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011100CE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011100FA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01110FB2
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01110FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01110F66
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0111002F
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 3 Bytes JMP 01110FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!CreateNamedPipeA + 4 7C860CE0 1 Byte [84]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011100BD
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01100FC3
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01100F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01100FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01100FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01100051
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01100000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01100036
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01100025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010F0F9C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 010F0027
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010F000C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010F0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010F0FAD
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010F0FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 010E0FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 010E0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 010E000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 010E0025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010D0000
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008A0F92
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008A0087
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008A0076
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008A005B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008A004A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008A0F66
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008A0F77
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008A0F30
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008A0F4B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008A00E4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008A0FC3
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008A00A2
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008A002F
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008A0FDE
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008A00C9
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800F86
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00800F97
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00800039
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800FB2
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0058
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0033
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FDE
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FC3
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0018
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0FB9
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0F9C
.text C:\WINDOWS\system32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70073
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70F7E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70062
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70051
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70F5C
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70F6D
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D70F26
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D700C9
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D700DA
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D70FAF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D7008E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D70FC0
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D70F4B
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0080005B
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00800F9E
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00800FAF
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A0, 88]
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800040
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0FB7
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0042
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F001D
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FD2
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F000C
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007E001B
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0042
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007E0070
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007E0F85
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007E005F
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007E004E
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007E002C
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007E00A1
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007E0F59
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007E0F23
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007E00BC
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007E00CD
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007E003D
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007E0F6A
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007E001B
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007E0F3E
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00790FC0
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00790F79
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00790011
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00790F94
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00790FE5
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00790FAF
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [99, 88]
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0078003D
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00780FA8
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00780FCD
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780018
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780FDE
.text C:\WINDOWS\system32\svchost.exe[1708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
.text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B0000A
.text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02490FEF
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0249007A
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0249005F
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0249004E
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0249003D
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02490FA5
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0249009F
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!GetStartupInfoA 7C801EF2 3 Bytes JMP 02490F57
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!GetStartupInfoA + 4 7C801EF6 1 Byte [85]
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024900D5
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02490F3C
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02490F2B
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0249002C
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02490000
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02490F74
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0249001B
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02490FCA
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024900BA
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0231001E
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0231005B
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02310FCD
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02310FDE
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02310F9E
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02310FEF
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0231004A
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0231002F
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018B003B
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!system 77C293C7 5 Bytes JMP 018B0FA6
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018B000C
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018B0FE3
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018B0FC1
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018B0FD2
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01750FCA
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01750FEF
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01750000
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01750FA3
.text C:\WINDOWS\Explorer.EXE[2824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016C0FEF
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80071
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F7C
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80F8D
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C8009D
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F55
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800D6
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F33
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800F1
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C8008C
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[2868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F44
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70F9E
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F61
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C7001E
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70F7C
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70F8D
.text C:\WINDOWS\system32\svchost.exe[2868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\svchost.exe[2868] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60044
.text C:\WINDOWS\system32\svchost.exe[2868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60018
.text C:\WINDOWS\system32\svchost.exe[2868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[2868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60029
.text C:\WINDOWS\system32\svchost.exe[2868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FDE

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CCD670F2-EDA4-5AF0-AC37-FCA551BC00D4}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CCD670F2-EDA4-5AF0-AC37-FCA551BC00D4}@oampmbffcekbpfhfhkkjdgcmgibnif 0x64 0x61 0x6E 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CCD670F2-EDA4-5AF0-AC37-FCA551BC00D4}@oaabmdcfbcgfpeklgkcdmbhihckpal 0x6A 0x61 0x6E 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CCD670F2-EDA4-5AF0-AC37-FCA551BC00D4}@naoaogmmcjlmlkhlfneojlhgjmfi 0x6A 0x61 0x6D 0x62 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\compbatt.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  info.txt   32.26KB   8 downloads
  • Attached File  gmer.log   110.41KB   7 downloads

Edited by aommaster, 24 May 2010 - 01:27 AM.


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 24 May 2010 - 01:30 AM

Hello, clairecobra.
No it's fine. This particular infection prevents you from posting HJT logs. Once you're done with the following steps, please try and copy and paste the log.txt into your reply. Hopefully, you should have no problems then.
We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

In your next reply, please include the following:
  • TDSSKiller.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 clairecobra

clairecobra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 24 May 2010 - 01:19 PM

I opened SpyBot, but those two options were already unchecked



14:16:04:921 5996 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
14:16:04:921 5996 ================================================================================
14:16:04:921 5996 SystemInfo:

14:16:04:921 5996 OS Version: 5.1.2600 ServicePack: 3.0
14:16:04:921 5996 Product type: Workstation
14:16:04:921 5996 ComputerName: CRIMKUS
14:16:04:937 5996 UserName: Claire-bear
14:16:04:937 5996 Windows directory: C:\WINDOWS
14:16:04:937 5996 Processor architecture: Intel x86
14:16:04:937 5996 Number of processors: 2
14:16:04:937 5996 Page size: 0x1000
14:16:04:937 5996 Boot type: Normal boot
14:16:04:937 5996 ================================================================================
14:16:04:937 5996 UnloadDriverW: NtUnloadDriver error 2
14:16:04:937 5996 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
14:16:05:125 5996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:16:05:125 5996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:16:05:125 5996 wfopen_ex: Trying to KLMD file open
14:16:05:125 5996 wfopen_ex: File opened ok (Flags 2)
14:16:05:125 5996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:16:05:125 5996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:16:05:125 5996 wfopen_ex: Trying to KLMD file open
14:16:05:125 5996 wfopen_ex: File opened ok (Flags 2)
14:16:05:125 5996 KLAVA engine initialized
14:16:05:375 5996 Initialize success
14:16:05:375 5996
14:16:05:375 5996 Scanning Services ...
14:16:05:921 5996 Raw services enum returned 420 services
14:16:05:937 5996
14:16:05:937 5996 Scanning Drivers ...
14:16:06:328 5996 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:16:06:375 5996 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:16:06:406 5996 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:16:06:437 5996 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:16:06:484 5996 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:16:06:515 5996 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
14:16:06:656 5996 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
14:16:06:718 5996 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
14:16:06:750 5996 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:16:06:796 5996 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:16:06:812 5996 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:16:06:984 5996 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:16:07:031 5996 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:16:07:078 5996 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:16:07:109 5996 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:16:07:156 5996 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
14:16:07:218 5996 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
14:16:07:265 5996 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:16:07:328 5996 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
14:16:07:406 5996 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:16:07:437 5996 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:16:07:468 5996 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:16:07:484 5996 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:16:07:546 5996 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:16:07:593 5996 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:16:07:656 5996 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
14:16:07:656 5996 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:16:07:703 5996 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:16:07:750 5996 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:16:07:843 5996 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:16:07:859 5996 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:16:07:875 5996 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:16:07:921 5996 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:16:07:937 5996 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:16:07:968 5996 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
14:16:07:984 5996 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:16:08:046 5996 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:16:08:125 5996 Compbatt (238149b3d0addbb1fa64a6168a159af7) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:16:08:125 5996 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 238149b3d0addbb1fa64a6168a159af7, Fake md5: 6e4c9f21f0fae8940661144f41b13203
14:16:08:125 5996 File "C:\WINDOWS\system32\DRIVERS\compbatt.sys" infected by TDSS rootkit ... 14:16:12:781 5996 Backup copy found, using it..
14:16:13:000 5996 will be cured on next reboot
14:16:13:140 5996 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:16:13:171 5996 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:16:13:203 5996 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:16:13:265 5996 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:16:13:343 5996 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:16:13:468 5996 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:16:13:500 5996 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:16:13:546 5996 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:16:13:609 5996 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:16:13:640 5996 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:16:13:687 5996 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
14:16:13:875 5996 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
14:16:13:937 5996 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:16:14:000 5996 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:16:14:031 5996 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:16:14:078 5996 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:16:14:109 5996 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:16:14:187 5996 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:16:14:265 5996 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:16:14:296 5996 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:16:14:343 5996 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
14:16:14:390 5996 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:16:14:406 5996 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:16:14:421 5996 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:16:14:484 5996 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
14:16:14:562 5996 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:16:14:656 5996 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:16:14:687 5996 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:16:14:734 5996 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
14:16:14:781 5996 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
14:16:14:953 5996 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:16:15:000 5996 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:16:15:015 5996 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:16:15:062 5996 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:16:15:171 5996 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:16:15:328 5996 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:16:15:390 5996 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:16:15:421 5996 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:16:15:468 5996 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:16:15:500 5996 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:16:15:515 5996 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:16:15:531 5996 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:16:15:562 5996 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:16:15:734 5996 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:16:15:750 5996 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:16:15:765 5996 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:16:15:828 5996 JakNDisMP (adc642587027bd06fc9ae580e2583ffb) C:\WINDOWS\system32\DRIVERS\JakNDis.sys
14:16:15:828 5996 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:16:15:875 5996 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:16:15:953 5996 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:16:16:015 5996 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:16:16:046 5996 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\WINDOWS\system32\DRIVERS\Lbd.sys
14:16:16:265 5996 LVcKap (2d0ab9d29e6b0c42cce955b5a8e0d62d) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
14:16:16:515 5996 LVMVDrv (a3963e3d997c3646e1d3338eb88a48e9) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
14:16:16:640 5996 LVPr2Mon (39c767bd6d99c23d28e71b6e0cba3129) C:\WINDOWS\system32\drivers\LVPr2Mon.sys
14:16:16:687 5996 LVUSBSta (6ad3f5275f117f08c12eab2233a9e3fb) C:\WINDOWS\system32\drivers\lvusbsta.sys
14:16:16:734 5996 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:16:16:781 5996 mfeapfk (6a7418672657547e543d8c04f94258e1) C:\WINDOWS\system32\drivers\mfeapfk.sys
14:16:16:828 5996 mfeavfk (63c29d5148a1fb26beb60e45b94e6df2) C:\WINDOWS\system32\drivers\mfeavfk.sys
14:16:16:859 5996 mfebopk (a4d0923fb0f233c6476e1fa2b5d6c0b1) C:\WINDOWS\system32\drivers\mfebopk.sys
14:16:16:953 5996 mfehidk (791e08dca5e1d347551ae27edf32a2b6) C:\WINDOWS\system32\drivers\mfehidk.sys
14:16:17:125 5996 mferkdk (2f875c69112eeed976b7d7e397fd6871) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
14:16:17:187 5996 mfetdik (923b88a31c63fb2b1bde239fef6ed158) C:\WINDOWS\system32\drivers\mfetdik.sys
14:16:17:234 5996 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:16:17:296 5996 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:16:17:328 5996 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:16:17:375 5996 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:16:17:421 5996 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:16:17:468 5996 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:16:17:515 5996 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:16:17:609 5996 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:16:17:734 5996 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:16:17:765 5996 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:16:17:812 5996 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:16:17:843 5996 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:16:17:890 5996 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:16:17:906 5996 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:16:17:937 5996 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:16:17:984 5996 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:16:18:109 5996 NaiAvFilter1 (88623f3fc726368a5996e319b89c693d) C:\WINDOWS\system32\drivers\naiavf5x.sys
14:16:18:156 5996 NaiAvTdi1 (dc2440edac9a177f3057ca4db6c8069c) C:\WINDOWS\system32\drivers\mvstdi5x.sys
14:16:18:203 5996 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:16:18:406 5996 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:16:18:437 5996 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:16:18:484 5996 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:16:18:593 5996 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:16:18:609 5996 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:16:18:640 5996 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:16:18:671 5996 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:16:18:781 5996 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
14:16:18:937 5996 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:16:18:984 5996 NPF (f498c5c3399a60933196fc215ef074f9) C:\WINDOWS\system32\drivers\npf.sys
14:16:19:031 5996 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:16:19:062 5996 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:16:19:140 5996 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:16:19:250 5996 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:16:19:390 5996 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:16:19:453 5996 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:16:19:531 5996 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:16:19:578 5996 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys
14:16:19:609 5996 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:16:19:640 5996 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:16:19:671 5996 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:16:19:687 5996 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:16:19:718 5996 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:16:19:828 5996 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:16:19:921 5996 pepifilter (4350cb255ad546f4668c8b8afd6a00a4) C:\WINDOWS\system32\DRIVERS\lv302af.sys
14:16:19:968 5996 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
14:16:19:984 5996 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:16:20:062 5996 PID_08A0 (6b310de726e1a0defd66718a7f79b5d2) C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
14:16:20:421 5996 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:16:20:531 5996 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:16:20:578 5996 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:16:20:640 5996 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:16:20:656 5996 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:16:20:671 5996 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:16:20:718 5996 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:16:20:796 5996 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:16:20:828 5996 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:16:20:875 5996 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:16:20:890 5996 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:16:20:906 5996 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:16:20:968 5996 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:16:20:984 5996 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:16:21:062 5996 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:16:21:093 5996 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:16:21:125 5996 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:16:21:156 5996 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
14:16:21:312 5996 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
14:16:21:390 5996 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
14:16:21:468 5996 s24trans (daef68fc328342d219de928c8ee610b2) C:\WINDOWS\system32\DRIVERS\s24trans.sys
14:16:21:609 5996 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
14:16:21:687 5996 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
14:16:21:781 5996 SASKUTIL (4fd72291a89793049104ca0a7e353cd4) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
14:16:21:984 5996 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:16:22:031 5996 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:16:22:078 5996 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:16:22:109 5996 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:16:22:140 5996 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
14:16:22:156 5996 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
14:16:22:187 5996 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:16:22:406 5996 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:16:22:453 5996 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:16:22:468 5996 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:16:22:500 5996 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:16:22:531 5996 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:16:22:562 5996 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
14:16:22:593 5996 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
14:16:22:734 5996 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
14:16:22:828 5996 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:16:22:875 5996 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:16:22:937 5996 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:16:22:968 5996 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
14:16:23:000 5996 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:16:23:015 5996 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:16:23:031 5996 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:16:23:093 5996 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:16:23:140 5996 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:16:23:218 5996 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:16:23:359 5996 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:16:23:390 5996 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:16:23:421 5996 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:16:23:453 5996 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
14:16:23:531 5996 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
14:16:23:656 5996 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
14:16:23:750 5996 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
14:16:23:828 5996 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
14:16:23:937 5996 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
14:16:24:031 5996 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
14:16:24:140 5996 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
14:16:24:281 5996 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
14:16:24:421 5996 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
14:16:24:484 5996 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:16:24:500 5996 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
14:16:24:609 5996 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:16:24:703 5996 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
14:16:24:718 5996 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
14:16:24:750 5996 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:16:24:781 5996 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:16:24:796 5996 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:16:24:859 5996 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:16:24:906 5996 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:16:24:953 5996 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:16:25:000 5996 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:16:25:031 5996 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:16:25:078 5996 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:16:25:125 5996 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:16:25:171 5996 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:16:25:296 5996 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys
14:16:25:437 5996 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:16:25:531 5996 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:16:25:593 5996 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:16:25:750 5996 WinDriver6 (542633e8050f5f22f94d429111c20415) C:\WINDOWS\system32\drivers\windrvr6.sys
14:16:25:843 5996 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
14:16:25:890 5996 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:16:25:968 5996 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:16:26:000 5996 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:16:26:000 5996 Reboot required for cure complete..
14:16:26:125 5996 Cure on reboot scheduled successfully
14:16:26:125 5996
14:16:26:125 5996 Completed
14:16:26:125 5996
14:16:26:125 5996 Results:
14:16:26:125 5996 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:16:26:125 5996 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:16:26:125 5996
14:16:26:125 5996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:16:26:125 5996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:16:26:125 5996 UnloadDriverW: NtUnloadDriver error 1
14:16:26:140 5996 KLMD(ARK) unloaded successfully



And uploading log.txt still hangs. I'll try to copy it into the message body

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusSc

I opened SpyBot, but those two options were already unchecked



14:16:04:921 5996 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
14:16:04:921 5996 ================================================================================
14:16:04:921 5996 SystemInfo:

14:16:04:921 5996 OS Version: 5.1.2600 ServicePack: 3.0
14:16:04:921 5996 Product type: Workstation
14:16:04:921 5996 ComputerName: CRIMKUS
14:16:04:937 5996 UserName: Claire-bear
14:16:04:937 5996 Windows directory: C:\WINDOWS
14:16:04:937 5996 Processor architecture: Intel x86
14:16:04:937 5996 Number of processors: 2
14:16:04:937 5996 Page size: 0x1000
14:16:04:937 5996 Boot type: Normal boot
14:16:04:937 5996 ================================================================================
14:16:04:937 5996 UnloadDriverW: NtUnloadDriver error 2
14:16:04:937 5996 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
14:16:05:125 5996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:16:05:125 5996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:16:05:125 5996 wfopen_ex: Trying to KLMD file open
14:16:05:125 5996 wfopen_ex: File opened ok (Flags 2)
14:16:05:125 5996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:16:05:125 5996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:16:05:125 5996 wfopen_ex: Trying to KLMD file open
14:16:05:125 5996 wfopen_ex: File opened ok (Flags 2)
14:16:05:125 5996 KLAVA engine initialized
14:16:05:375 5996 Initialize success
14:16:05:375 5996
14:16:05:375 5996 Scanning Services ...
14:16:05:921 5996 Raw services enum returned 420 services
14:16:05:937 5996
14:16:05:937 5996 Scanning Drivers ...
14:16:06:328 5996 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:16:06:375 5996 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:16:06:406 5996 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:16:06:437 5996 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:16:06:484 5996 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:16:06:515 5996 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
14:16:06:656 5996 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
14:16:06:718 5996 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
14:16:06:750 5996 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:16:06:796 5996 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:16:06:812 5996 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:16:06:984 5996 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:16:07:031 5996 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:16:07:078 5996 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:16:07:109 5996 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:16:07:156 5996 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
14:16:07:218 5996 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
14:16:07:265 5996 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:16:07:328 5996 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
14:16:07:406 5996 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:16:07:437 5996 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:16:07:468 5996 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:16:07:484 5996 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:16:07:546 5996 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:16:07:593 5996 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:16:07:656 5996 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
14:16:07:656 5996 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:16:07:703 5996 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:16:07:750 5996 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:16:07:843 5996 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:16:07:859 5996 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:16:07:875 5996 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:16:07:921 5996 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:16:07:937 5996 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:16:07:968 5996 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
14:16:07:984 5996 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:16:08:046 5996 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:16:08:125 5996 Compbatt (238149b3d0addbb1fa64a6168a159af7) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:16:08:125 5996 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 238149b3d0addbb1fa64a6168a159af7, Fake md5: 6e4c9f21f0fae8940661144f41b13203
14:16:08:125 5996 File "C:\WINDOWS\system32\DRIVERS\compbatt.sys" infected by TDSS rootkit ... 14:16:12:781 5996 Backup copy found, using it..
14:16:13:000 5996 will be cured on next reboot
14:16:13:140 5996 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:16:13:171 5996 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:16:13:203 5996 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:16:13:265 5996 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:16:13:343 5996 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:16:13:468 5996 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:16:13:500 5996 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:16:13:546 5996 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:16:13:609 5996 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:16:13:640 5996 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:16:13:687 5996 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
14:16:13:875 5996 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
14:16:13:937 5996 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:16:14:000 5996 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:16:14:031 5996 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:16:14:078 5996 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:16:14:109 5996 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:16:14:187 5996 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:16:14:265 5996 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:16:14:296 5996 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:16:14:343 5996 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
14:16:14:390 5996 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:16:14:406 5996 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:16:14:421 5996 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:16:14:484 5996 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
14:16:14:562 5996 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:16:14:656 5996 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:16:14:687 5996 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:16:14:734 5996 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
14:16:14:781 5996 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
14:16:14:953 5996 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:16:15:000 5996 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:16:15:015 5996 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:16:15:062 5996 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:16:15:171 5996 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:16:15:328 5996 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:16:15:390 5996 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:16:15:421 5996 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:16:15:468 5996 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:16:15:500 5996 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:16:15:515 5996 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:16:15:531 5996 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:16:15:562 5996 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:16:15:734 5996 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:16:15:750 5996 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:16:15:765 5996 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:16:15:828 5996 JakNDisMP (adc642587027bd06fc9ae580e2583ffb) C:\WINDOWS\system32\DRIVERS\JakNDis.sys
14:16:15:828 5996 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:16:15:875 5996 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:16:15:953 5996 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:16:16:015 5996 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:16:16:046 5996 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\WINDOWS\system32\DRIVERS\Lbd.sys
14:16:16:265 5996 LVcKap (2d0ab9d29e6b0c42cce955b5a8e0d62d) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
14:16:16:515 5996 LVMVDrv (a3963e3d997c3646e1d3338eb88a48e9) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
14:16:16:640 5996 LVPr2Mon (39c767bd6d99c23d28e71b6e0cba3129) C:\WINDOWS\system32\drivers\LVPr2Mon.sys
14:16:16:687 5996 LVUSBSta (6ad3f5275f117f08c12eab2233a9e3fb) C:\WINDOWS\system32\drivers\lvusbsta.sys
14:16:16:734 5996 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:16:16:781 5996 mfeapfk (6a7418672657547e543d8c04f94258e1) C:\WINDOWS\system32\drivers\mfeapfk.sys
14:16:16:828 5996 mfeavfk (63c29d5148a1fb26beb60e45b94e6df2) C:\WINDOWS\system32\drivers\mfeavfk.sys
14:16:16:859 5996 mfebopk (a4d0923fb0f233c6476e1fa2b5d6c0b1) C:\WINDOWS\system32\drivers\mfebopk.sys
14:16:16:953 5996 mfehidk (791e08dca5e1d347551ae27edf32a2b6) C:\WINDOWS\system32\drivers\mfehidk.sys
14:16:17:125 5996 mferkdk (2f875c69112eeed976b7d7e397fd6871) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
14:16:17:187 5996 mfetdik (923b88a31c63fb2b1bde239fef6ed158) C:\WINDOWS\system32\drivers\mfetdik.sys
14:16:17:234 5996 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:16:17:296 5996 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:16:17:328 5996 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:16:17:375 5996 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:16:17:421 5996 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:16:17:468 5996 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:16:17:515 5996 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:16:17:609 5996 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:16:17:734 5996 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:16:17:765 5996 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:16:17:812 5996 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:16:17:843 5996 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:16:17:890 5996 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:16:17:906 5996 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:16:17:937 5996 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:16:17:984 5996 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:16:18:109 5996 NaiAvFilter1 (88623f3fc726368a5996e319b89c693d) C:\WINDOWS\system32\drivers\naiavf5x.sys
14:16:18:156 5996 NaiAvTdi1 (dc2440edac9a177f3057ca4db6c8069c) C:\WINDOWS\system32\drivers\mvstdi5x.sys
14:16:18:203 5996 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:16:18:406 5996 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:16:18:437 5996 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:16:18:484 5996 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:16:18:593 5996 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:16:18:609 5996 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:16:18:640 5996 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:16:18:671 5996 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:16:18:781 5996 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
14:16:18:937 5996 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:16:18:984 5996 NPF (f498c5c3399a60933196fc215ef074f9) C:\WINDOWS\system32\drivers\npf.sys
14:16:19:031 5996 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:16:19:062 5996 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:16:19:140 5996 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:16:19:250 5996 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:16:19:390 5996 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:16:19:453 5996 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:16:19:531 5996 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:16:19:578 5996 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys
14:16:19:609 5996 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:16:19:640 5996 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:16:19:671 5996 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:16:19:687 5996 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:16:19:718 5996 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:16:19:828 5996 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:16:19:921 5996 pepifilter (4350cb255ad546f4668c8b8afd6a00a4) C:\WINDOWS\system32\DRIVERS\lv302af.sys
14:16:19:968 5996 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
14:16:19:984 5996 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:16:20:062 5996 PID_08A0 (6b310de726e1a0defd66718a7f79b5d2) C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
14:16:20:421 5996 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:16:20:531 5996 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:16:20:578 5996 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:16:20:640 5996 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:16:20:656 5996 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:16:20:671 5996 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:16:20:718 5996 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:16:20:796 5996 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:16:20:828 5996 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:16:20:875 5996 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:16:20:890 5996 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:16:20:906 5996 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:16:20:968 5996 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:16:20:984 5996 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:16:21:062 5996 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:16:21:093 5996 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:16:21:125 5996 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:16:21:156 5996 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
14:16:21:312 5996 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
14:16:21:390 5996 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
14:16:21:468 5996 s24trans (daef68fc328342d219de928c8ee610b2) C:\WINDOWS\system32\DRIVERS\s24trans.sys
14:16:21:609 5996 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
14:16:21:687 5996 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
14:16:21:781 5996 SASKUTIL (4fd72291a89793049104ca0a7e353cd4) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
14:16:21:984 5996 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:16:22:031 5996 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:16:22:078 5996 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:16:22:109 5996 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:16:22:140 5996 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
14:16:22:156 5996 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
14:16:22:187 5996 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:16:22:406 5996 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:16:22:453 5996 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:16:22:468 5996 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:16:22:500 5996 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:16:22:531 5996 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:16:22:562 5996 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
14:16:22:593 5996 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
14:16:22:734 5996 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
14:16:22:828 5996 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:16:22:875 5996 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:16:22:937 5996 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:16:22:968 5996 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
14:16:23:000 5996 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:16:23:015 5996 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:16:23:031 5996 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:16:23:093 5996 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:16:23:140 5996 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:16:23:218 5996 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:16:23:359 5996 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:16:23:390 5996 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:16:23:421 5996 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:16:23:453 5996 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
14:16:23:531 5996 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
14:16:23:656 5996 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
14:16:23:750 5996 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
14:16:23:828 5996 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
14:16:23:937 5996 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
14:16:24:031 5996 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
14:16:24:140 5996 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
14:16:24:281 5996 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
14:16:24:421 5996 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
14:16:24:484 5996 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:16:24:500 5996 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
14:16:24:609 5996 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:16:24:703 5996 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
14:16:24:718 5996 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
14:16:24:750 5996 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:16:24:781 5996 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:16:24:796 5996 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:16:24:859 5996 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:16:24:906 5996 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:16:24:953 5996 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:16:25:000 5996 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:16:25:031 5996 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:16:25:078 5996 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:16:25:125 5996 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:16:25:171 5996 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:16:25:296 5996 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys
14:16:25:437 5996 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:16:25:531 5996 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:16:25:593 5996 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:16:25:750 5996 WinDriver6 (542633e8050f5f22f94d429111c20415) C:\WINDOWS\system32\drivers\windrvr6.sys
14:16:25:843 5996 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
14:16:25:890 5996 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:16:25:968 5996 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:16:26:000 5996 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:16:26:000 5996 Reboot required for cure complete..
14:16:26:125 5996 Cure on reboot scheduled successfully
14:16:26:125 5996
14:16:26:125 5996 Completed
14:16:26:125 5996
14:16:26:125 5996 Results:
14:16:26:125 5996 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:16:26:125 5996 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:16:26:125 5996
14:16:26:125 5996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:16:26:125 5996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:16:26:125 5996 UnloadDriverW: NtUnloadDriver error 1
14:16:26:140 5996 KLMD(ARK) unloaded successfully



And uploading log.txt still hangs. I'll try to copy it into the message body

Logfile of random's system information tool 1.07 (written by random/random)
Run by Claire-bear at 2010-05-23 23:54:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (22%) free of 52 GB
Total RAM: 1014 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:55:05, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusSc

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 24 May 2010 - 01:39 PM

Hello, clairecobra.
Okay, let's do the following
We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 clairecobra

clairecobra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 24 May 2010 - 01:50 PM

I can't disable my real-time anti-virus protection. I have McAfee VirusScan Enterprise 8.5. Normally I would right click on the logo in the system tray and choose "Disable On-Access Scan," which I have done before, but now it is grayed out. Opening the VirusScan console and right clicking on On-Access Scanner is also grayed out.


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 24 May 2010 - 01:58 PM

Okay, go ahead and run combofix then as is.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 clairecobra

clairecobra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 25 May 2010 - 10:27 PM

ComboFix 10-05-25.02 - Claire-bear 05/25/2010 22:28:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.342 [GMT -4:00]
Running from: c:\documents and settings\Claire-bear\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Claire-bear\Application Data\69F7D536A17E736E352F8C6820DC01F4
c:\documents and settings\Claire-bear\Application Data\69F7D536A17E736E352F8C6820DC01F4\enemies-names.txt
c:\documents and settings\Claire-bear\Application Data\69F7D536A17E736E352F8C6820DC01F4\lsrslt.ini
c:\documents and settings\Claire-bear\Application Data\ATManager
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\Czech.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\Danish.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\Dutch.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\English.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\French.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\German.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\Italian.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\languages\Portuguese.lng
c:\documents and settings\Claire-bear\Application Data\ATManager\settings.ini
c:\documents and settings\Claire-bear\Application Data\ATManager\wallpaper.jpg
C:\LOG1C.tmp
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NPF
-------\Service_6to4
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 02:19 . 2010-05-12 15:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-24 03:54 . 2010-05-24 03:55 -------- d-----w- C:\rsit
2010-05-24 03:54 . 2010-05-24 03:55 -------- d-----w- c:\program files\trend micro
2010-05-18 04:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 04:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 05:05 . 2010-05-18 20:07 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-15 05:05 . 2010-05-15 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-15 05:04 . 2010-05-15 05:04 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 01:55 . 2010-05-13 01:55 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-13 01:02 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-13 01:02 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-13 00:58 . 2010-05-13 00:58 -------- d-----w- c:\documents and settings\Claire-bear\Local Settings\Application Data\vdgibhvij
2010-05-12 01:46 . 2010-05-12 01:46 -------- d-----w- c:\program files\Common Files\Thomson ResearchSoft
2010-05-12 01:44 . 2010-05-12 01:46 -------- d-----w- c:\program files\EndNote X1
2010-04-29 17:40 . 2010-04-29 17:42 -------- d-----w- c:\program files\iTunes
2010-04-29 17:33 . 2010-04-29 17:33 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 02:08 . 2006-08-01 14:32 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-05-25 19:21 . 2009-05-07 18:07 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\EndNote
2010-05-25 19:20 . 2006-08-07 23:54 -------- d-----w- c:\program files\Dl_cats
2010-05-24 18:35 . 2008-08-29 03:56 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\Skype
2010-05-24 18:09 . 2009-08-25 21:54 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\skypePM
2010-05-24 18:09 . 2009-04-30 15:44 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\.purple
2010-05-24 06:14 . 2010-05-24 06:14 503808 ----a-w- c:\documents and settings\Claire-bear\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54a9b6cb-n\msvcp71.dll
2010-05-24 06:14 . 2010-05-24 06:14 499712 ----a-w- c:\documents and settings\Claire-bear\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54a9b6cb-n\jmc.dll
2010-05-24 06:14 . 2010-05-24 06:14 348160 ----a-w- c:\documents and settings\Claire-bear\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54a9b6cb-n\msvcr71.dll
2010-05-18 04:19 . 2009-03-29 20:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 02:27 . 2010-05-14 15:19 63488 ----a-w- c:\documents and settings\Claire-bear\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-18 02:27 . 2009-03-31 15:25 117760 -c--a-w- c:\documents and settings\Claire-bear\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-13 01:11 . 2008-12-07 01:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-12 01:46 . 2009-05-07 16:10 -------- d-----w- c:\program files\Common Files\Risxtd
2010-04-29 17:40 . 2006-08-08 00:30 -------- d-----w- c:\program files\iPod
2010-04-29 17:40 . 2007-09-11 19:46 -------- d-----w- c:\program files\Common Files\Apple
2010-04-29 17:30 . 2010-04-29 17:30 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-28 00:21 . 2010-02-24 02:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-25 22:55 . 2010-04-25 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2010-04-25 22:55 . 2010-04-25 22:55 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\Softland
2010-04-25 22:54 . 2010-04-25 22:54 -------- d-----w- c:\program files\Softland
2010-04-09 01:21 . 2010-04-09 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-09 01:14 . 2010-04-09 01:13 -------- d-----w- c:\program files\QuickTime
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-01 19:02 . 2010-04-25 22:54 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-04-01 19:02 . 2010-04-25 22:54 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2008-09-07 17:17 . 2008-09-07 17:15 54333208 ----a-w- c:\program files\jdk-1_5_0_16-windows-i586-p.exe
2008-11-08 19:56 . 2007-06-25 02:13 88 --sh--r- c:\windows\system32\F0AA5F4048.sys
2008-11-08 19:56 . 2007-06-25 02:13 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-17 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-07-16 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
"dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2005-10-21 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"KeyAccess"="kass.exe" [2008-10-29 82624]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-1 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-31 01:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Mozilla Firefox\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Mozilla Firefox\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/23/2010 21:17 64288]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [10/23/2006 22:36 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 16:11 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 16:11 68168]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [10/29/2008 12:23 1041088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 1314704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/21/2007 14:35 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 20:19 13592]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [5/11/2009 14:53 21504]
S0 ocnpa;ocnpa; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 16:11 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:18]

2010-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963003118-3160188535-2920444685-1006Core.job
- c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 01:21]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963003118-3160188535-2920444685-1006UA.job
- c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 01:21]

2010-05-25 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Claire-bear.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-05-18 19:39]

2010-05-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Claire-bear.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-05-18 19:39]

2010-05-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Claire-bear\Application Data\Mozilla\Firefox\Profiles\mai82q6w.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.afreesearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\Claire-bear\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.afreesearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{BA419DAD-9619-1C36-848C-DE2D3087A98B} - (no file)
HKCU-Run-gotnewupdate000.exe - c:\documents and settings\Claire-bear\Application Data\69F7D536A17E736E352F8C6820DC01F4\gotnewupdate000.exe
SafeBoot-klmdb.sys
AddRemove-AdobeESD - c:\program files\Common Files\Adobe\ESD\uninst.exe
AddRemove-DreamStation DXi2 - c:\windows\DSDXIRMV.EXE
AddRemove-Scrabble - c:\scrabble\DeIsL1.isu
AddRemove-Sibelius 3 - c:\progra~1\SIBELI~1\SIBELI~1\UNWISE.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 23:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16??????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-963003118-3160188535-2920444685-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CCD670F2-EDA4-5AF0-AC37-FCA551BC00D4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oampmbffcekbpfhfhkkjdgcmgibnif"=hex:64,61,6e,62,61,6e,63,66,00,e0
"oaabmdcfbcgfpeklgkcdmbhihckpal"=hex:6a,61,6e,62,6c,6d,70,62,63,6a,68,61,70,6c,
69,6c,61,6b,62,6a,00,fd
"naoaogmmcjlmlkhlfneojlhgjmfi"=hex:6a,61,6d,62,70,68,70,66,6b,70,66,64,67,61,
69,62,67,6f,67,6c,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(6148)
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\windows\system32\dlcgcoms.exe
c:\windows\kass.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe
c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\QuickCam10\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-05-25 23:16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 03:16

Pre-Run: 11,409,588,224 bytes free
Post-Run: 12,211,802,112 bytes free

- - End Of File - - A6401E867B88F1396BCCABD53A971E04

Edited by aommaster, 25 May 2010 - 11:04 PM.


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 25 May 2010 - 11:06 PM

Hello, clairecobra.
How's your computer doing now? Is it any better?
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    Driver::
    ocnpa
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 clairecobra

clairecobra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 26 May 2010 - 07:31 AM

So far, I am no longer having the search engine redirect issues.



ComboFix 10-05-25.05 - Claire-bear 05/26/2010 7:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.224 [GMT -4:00]
Running from: c:\documents and settings\Claire-bear\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Claire-bear\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OCNPA
-------\Service_ocnpa


((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 02:21 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-05-26 02:19 . 2010-05-12 15:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-24 03:54 . 2010-05-24 03:55 -------- d-----w- C:\rsit
2010-05-24 03:54 . 2010-05-24 03:55 -------- d-----w- c:\program files\trend micro
2010-05-18 04:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 04:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 05:05 . 2010-05-18 20:07 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-15 05:05 . 2010-05-15 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-15 05:04 . 2010-05-15 05:04 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 01:55 . 2010-05-13 01:55 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-13 01:02 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-13 01:02 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-13 00:58 . 2010-05-13 00:58 -------- d-----w- c:\documents and settings\Claire-bear\Local Settings\Application Data\vdgibhvij
2010-05-12 01:46 . 2010-05-12 01:46 -------- d-----w- c:\program files\Common Files\Thomson ResearchSoft
2010-05-12 01:44 . 2010-05-12 01:46 -------- d-----w- c:\program files\EndNote X1
2010-04-29 17:40 . 2010-04-29 17:42 -------- d-----w- c:\program files\iTunes
2010-04-29 17:33 . 2010-04-29 17:33 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 02:08 . 2006-08-01 14:32 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-05-25 19:21 . 2009-05-07 18:07 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\EndNote
2010-05-25 19:20 . 2006-08-07 23:54 -------- d-----w- c:\program files\Dl_cats
2010-05-24 18:35 . 2008-08-29 03:56 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\Skype
2010-05-24 18:09 . 2009-08-25 21:54 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\skypePM
2010-05-24 18:09 . 2009-04-30 15:44 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\.purple
2010-05-18 04:19 . 2009-03-29 20:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 01:11 . 2008-12-07 01:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-12 01:46 . 2009-05-07 16:10 -------- d-----w- c:\program files\Common Files\Risxtd
2010-04-29 17:40 . 2006-08-08 00:30 -------- d-----w- c:\program files\iPod
2010-04-29 17:40 . 2007-09-11 19:46 -------- d-----w- c:\program files\Common Files\Apple
2010-04-28 00:21 . 2010-02-24 02:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-26 01:44 . 2010-04-26 01:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Softland
2010-04-25 22:55 . 2010-04-25 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2010-04-25 22:55 . 2010-04-25 22:55 -------- d-----w- c:\documents and settings\Claire-bear\Application Data\Softland
2010-04-25 22:54 . 2010-04-25 22:54 -------- d-----w- c:\program files\Softland
2010-04-09 01:21 . 2010-04-09 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-09 01:14 . 2010-04-09 01:13 -------- d-----w- c:\program files\QuickTime
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-01 19:02 . 2010-04-25 22:54 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-04-01 19:02 . 2010-04-25 22:54 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2010-03-09 11:09 . 2004-08-11 22:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-09-07 17:17 . 2008-09-07 17:15 54333208 ----a-w- c:\program files\jdk-1_5_0_16-windows-i586-p.exe
2008-11-08 19:56 . 2007-06-25 02:13 88 --sh--r- c:\windows\system32\F0AA5F4048.sys
2008-11-08 19:56 . 2007-06-25 02:13 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-17 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-07-16 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
"dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2005-10-21 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"KeyAccess"="kass.exe" [2008-10-29 82624]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-1 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-31 01:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Mozilla Firefox\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Mozilla Firefox\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/23/2010 21:17 64288]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [10/23/2006 22:36 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 16:11 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 16:11 68168]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [10/29/2008 12:23 1041088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 1314704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/21/2007 14:35 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 20:19 13592]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [5/11/2009 14:53 21504]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 16:11 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:18]

2010-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963003118-3160188535-2920444685-1006Core.job
- c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 01:21]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963003118-3160188535-2920444685-1006UA.job
- c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 01:21]

2010-05-25 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Claire-bear.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-05-18 19:39]

2010-05-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Claire-bear.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-05-18 19:39]

2010-05-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Mozilla Firefox\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Claire-bear\Application Data\Mozilla\Firefox\Profiles\mai82q6w.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.afreesearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\Claire-bear\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.afreesearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 08:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-963003118-3160188535-2920444685-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CCD670F2-EDA4-5AF0-AC37-FCA551BC00D4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oampmbffcekbpfhfhkkjdgcmgibnif"=hex:64,61,6e,62,61,6e,63,66,00,e0
"oaabmdcfbcgfpeklgkcdmbhihckpal"=hex:6a,61,6e,62,6c,6d,70,62,63,6a,68,61,70,6c,
69,6c,61,6b,62,6a,00,fd
"naoaogmmcjlmlkhlfneojlhgjmfi"=hex:6a,61,6d,62,70,68,70,66,6b,70,66,64,67,61,
69,62,67,6f,67,6c,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(7344)
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\windows\system32\dlcgcoms.exe
c:\windows\kass.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\documents and settings\Claire-bear\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe
c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\QuickCam10\COCIManager.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-05-26 08:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 12:16
ComboFix2.txt 2010-05-26 03:16

Pre-Run: 11,931,426,816 bytes free
Post-Run: 11,901,374,464 bytes free

- - End Of File - - 3675CD70F6B8A85819855066E06C8ED2


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 26 May 2010 - 08:50 AM

Hello, clairecobra.
Good to hear smile.gif
We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 20 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run an ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  4. Check the "YES, I accept the Terms of Use"
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check Scan archives
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push "List of found threats"
  11. Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the "< button.
  13. Push Finish

In your next reply, please include the following:
  • Eset Scan Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:39 AM

Posted 29 May 2010 - 12:48 AM

Hello clairecobra
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users