Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Search Results Redirected


  • This topic is locked This topic is locked
15 replies to this topic

#1 scotts18

scotts18

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 17 November 2010 - 08:49 PM

Most of the time my internet search results are being redirected. I have tried firefox and ie; in both the search results are redirected. DDS log is as follows:


DDS (Ver_10-11-10.01) - NTFSx86
Run by Rachel at 18:16:39.18 on Wed 11/17/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1088 [GMT -6:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Users\Rachel\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\0068.DLL
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

================= FIREFOX ===================

FF - ProfilePath - c:\users\rachel\appdata\roaming\mozilla\firefox\profiles\ogl0cmuc.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\rachel\appdata\local\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-10-24 88176]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-7 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-7 144704]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-13 1153368]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-7 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-6 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-6 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-6 40552]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-16 167936]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-11-16 376320]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-6 34248]
S3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-11-17 51512]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-4 1343400]

=============== Created Last 30 ================

2010-11-17 01:34:49 38400 ----a-w- c:\windows\system32\0068.DLL
2010-11-16 22:36:49 2048 ----a-w- c:\windows\system32\tzres.dll
2010-11-16 00:54:35 2 --shatr- c:\windows\winstart.bat
2010-11-16 00:54:26 -------- d-----w- c:\program files\UnHackMe
2010-11-14 00:54:45 -------- d-----w- c:\progra~2\SITEguard
2010-11-14 00:53:55 -------- d-----w- c:\program files\common files\iS3
2010-11-14 00:53:53 -------- d-----w- c:\progra~2\STOPzilla!
2010-11-13 23:34:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 23:34:56 -------- d-----w- c:\progra~2\Spybot - Search & Destroy

==================== Find3M ====================

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll
2010-08-21 05:36:33 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-21 05:36:24 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-21 05:33:24 530432 ----a-w- c:\windows\system32\comctl32.dll
2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: Hitachi_ rev.PB2O -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8626AEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87816872; SUB DWORD [EBP-0x4], 0x8781612e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82A3E458] -> \Device\Harddisk0\DR0[0x862D4030]
3 CLASSPNP[0x885AE59E] -> ntkrnlpa!IofCallDriver[0x82A3E458] -> \IAAStorageDevice-1[0x854A3028]
[0x8550F6F8] -> IRP_MJ_CREATE -> 0x8626AEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskHitachi_HTS545025B9A300_________________PB2OC64G#4&2f0449cb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 488397166 (+175): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:18:50.47 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:46 AM

Posted 25 November 2010 - 05:42 PM

Hello, scotts18.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for :)
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  • Please download DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  • When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
    **Note: It is zipped into a .RAR file. If you do not have a .RAR extractor, you can get one for free here
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 scotts18

scotts18
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 26 November 2010 - 10:01 PM

Thanks for your help. Below are the logs you requested.

Logfile of random's system information tool 1.08 (written by random/random)
Run by Rachel at 2010-11-26 16:40:07
Microsoft Windows 7 Home Premium
System drive C: has 200 GB (88%) free of 229 GB
Total RAM: 1913 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:40:21 PM, on 11/26/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchFilterHost.exe
C:\Users\Rachel\Desktop\RSIT.exe
C:\Program Files\trend micro\Rachel.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NortonOnlineBackupReminder] "C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O20 - AppInit_DLLs: C:\windows\system32\0068.DLL
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

--
End of file - 5353 bytes

======Scheduled tasks folder======

C:\windows\tasks\GoogleUpdateTaskMachineCore.job
C:\windows\tasks\GoogleUpdateTaskMachineUA.job
C:\windows\tasks\McDefragTask.job
C:\windows\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"IgfxTray"=C:\windows\system32\igfxtray.exe [2009-09-02 141848]
"HotKeysCmds"=C:\windows\system32\hkcmd.exe [2009-09-02 174104]
"Persistence"=C:\windows\system32\igfxpers.exe [2009-09-02 151064]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [2009-07-28 7625248]
"KeNotify"=C:\Program Files\TOSHIBA\Utilities\KeNotify.exe [2009-01-13 34088]
"TosSENotify"=C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [2009-08-03 611672]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-09-03 39408]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]
"NortonOnlineBackupReminder"=C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe [2009-07-16 529256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\windows\system32\0068.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\windows\system32\igfxdev.dll [2009-08-27 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-11-26 16:40:07 ----D---- C:\rsit
2010-11-26 16:40:07 ----D---- C:\Program Files\trend micro
2010-11-17 18:00:14 ----D---- C:\Users\Rachel\AppData\Roaming\Mozilla
2010-11-17 18:00:01 ----D---- C:\Program Files\Mozilla Firefox
2010-11-16 19:34:12 ----D---- C:\windows\Sun
2010-11-16 16:36:49 ----A---- C:\windows\system32\tzres.dll
2010-11-15 19:02:05 ----SHD---- C:\Config.Msi
2010-11-15 18:58:50 ----A---- C:\windows\system32\PARTIZAN.TXT
2010-11-15 18:54:35 ----RASHOT---- C:\windows\winstart.bat
2010-11-15 18:54:26 ----D---- C:\Program Files\UnHackMe
2010-11-13 18:54:45 ----D---- C:\ProgramData\SITEguard
2010-11-13 18:53:55 ----D---- C:\Program Files\Common Files\iS3
2010-11-13 18:53:53 ----D---- C:\ProgramData\STOPzilla!
2010-11-13 17:34:56 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-11-13 17:34:56 ----D---- C:\Program Files\Spybot - Search & Destroy

======List of files/folders modified in the last 1 months======

2010-11-26 16:40:15 ----D---- C:\windows\Temp
2010-11-26 16:40:07 ----RD---- C:\Program Files
2010-11-26 08:38:25 ----D---- C:\windows\system32\config
2010-11-23 07:38:12 ----D---- C:\windows\inf
2010-11-23 07:38:12 ----AD---- C:\windows\System32
2010-11-23 07:38:12 ----A---- C:\windows\system32\PerfStringBackup.INI
2010-11-22 12:15:57 ----AD---- C:\Windows
2010-11-20 17:37:57 ----D---- C:\windows\system32\NDF
2010-11-17 21:34:59 ----SHD---- C:\System Volume Information
2010-11-17 10:16:49 ----D---- C:\windows\Prefetch
2010-11-17 07:38:03 ----D---- C:\windows\winsxs
2010-11-17 07:37:56 ----D---- C:\windows\system32\en-US
2010-11-16 19:00:45 ----D---- C:\windows\system32\catroot2
2010-11-16 18:25:49 ----D---- C:\windows\system32\drivers\etc
2010-11-16 18:23:37 ----D---- C:\windows\system32\Tasks
2010-11-15 19:18:37 ----D---- C:\windows\system32\drivers
2010-11-15 19:02:24 ----SHD---- C:\windows\Installer
2010-11-15 19:01:09 ----D---- C:\windows\system32\wdi
2010-11-13 21:37:36 ----D---- C:\windows\rescache
2010-11-13 18:54:45 ----HD---- C:\ProgramData
2010-11-13 18:53:55 ----D---- C:\Program Files\Common Files
2010-10-29 08:34:19 ----D---- C:\windows\system32\catroot
2010-10-29 08:30:32 ----D---- C:\Program Files\McAfee

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 iaStor;Intel AHCI Controller; C:\windows\system32\DRIVERS\iaStor.sys [2009-06-04 330264]
R0 LPCFilter;LPC Lower Filter Driver; C:\windows\system32\DRIVERS\LPCFilter.sys [2009-07-02 36208]
R0 pciide;pciide; C:\windows\system32\DRIVERS\pciide.sys [2009-07-13 12368]
R0 rdyboost;ReadyBoost; C:\windows\System32\drivers\rdyboost.sys [2009-07-13 173648]
R0 tos_sps32;TOSHIBA tos_sps32 Service; C:\windows\system32\DRIVERS\tos_sps32.sys [2009-07-24 275536]
R0 TVALZ;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver; C:\windows\system32\DRIVERS\TVALZ_O.SYS [2009-07-14 23512]
R1 mfehidk;McAfee Inc. mfehidk; C:\windows\system32\drivers\mfehidk.sys [2009-11-04 214664]
R1 MPFP;MPFP; C:\windows\System32\Drivers\Mpfp.sys [2010-07-15 130424]
R1 vwififlt;Virtual WiFi Filter Driver; C:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
R3 igfx;igfx; C:\windows\system32\DRIVERS\igdkmd32.sys [2009-08-27 5946368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\windows\system32\drivers\RTKVHDA.sys [2009-07-28 2735504]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\windows\system32\drivers\mfeavfk.sys [2009-11-04 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\windows\system32\drivers\mfebopk.sys [2009-11-04 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\windows\system32\drivers\mfesmfk.sys [2009-11-04 40552]
R3 RTL8167;Realtek 8167 NT Driver; C:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter; C:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
R3 SynTP;Synaptics TouchPad Driver; C:\windows\system32\DRIVERS\SynTP.sys [2009-07-20 213552]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\windows\system32\DRIVERS\tdcmdpst.sys [2009-07-30 22912]
S0 is3srv;is3srv; C:\windows\system32\drivers\is3srv.sys []
S0 szkg5;szkg5; C:\windows\system32\DRIVERS\szkg.sys []
S0 szkgfs;szkgfs; C:\windows\system32\drivers\szkgfs.sys []
S2 Parvdm;Parvdm; C:\windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 AgereSoftModem;Agere Systems Soft Modem; C:\windows\system32\DRIVERS\AGRSM.sys [2009-07-13 1035776]
S3 aic78xx;aic78xx; C:\windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\windows\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 mferkdk;McAfee Inc. mferkdk; C:\windows\system32\drivers\mferkdk.sys [2009-11-04 34248]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader; C:\windows\System32\Drivers\RtsUStor.sys []
S3 RtsUIR;Realtek IR Driver; C:\windows\system32\DRIVERS\Rts516xIR.sys []
S3 sisagp;SIS AGP Bus Filter; C:\windows\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 USBCCID;Realtek Smartcard Reader Driver; C:\windows\system32\DRIVERS\RtsUCcid.sys []
S3 usbscan;USB Scanner Driver; C:\windows\system32\DRIVERS\usbscan.sys [2009-07-13 35840]
S3 viaagp;VIA AGP Bus Filter; C:\windows\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 cfWiMAXService;ConfigFree WiMAX Service; C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-10 185712]
R2 ConfigFree Service;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2010-06-10 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-04 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\Windows\system32\TODDSrv.exe [2009-07-28 128344]
R2 TosCoSrv;TOSHIBA Power Saver; C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe [2009-08-05 464224]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-04 606736]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-03 111960]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-03 135664]
S3 GameConsoleService;GameConsoleService; C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe [2009-05-22 250616]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-03 182768]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-10-28 365072]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 TMachInfo;TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.08 2010-11-26 16:40:25

======Uninstall list======

-->"C:\Program Files\TOSHIBA Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Build-a-lot 3\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\FATE Undiscovered Realms\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Game Explorer Categories - genres\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Game Explorer Categories - main\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Jewel Quest Solitaire 3\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Mystery P.I. - The Vegas Heist\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Scrabble\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Virtual Villagers - The Secret City\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Zuma Deluxe\Uninstall.exe"
Acrobat.com-->msiexec /qb /x {F8131A35-47FD-27AD-116D-0E79AF5DE5EE}
Acrobat.com-->MsiExec.exe /I{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_AC0049E063DE2AEA.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Intel® Graphics Media Accelerator Driver-->C:\windows\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager-->C:\Program Files\Intel\Intel Matrix Storage Manager\Uninstall\imsmudlg.exe -uninstall
Java™ 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
Label@Once 1.0-->MsiExec.exe /I{0D795777-9D60-4692-8386-F2B3F2B5E5BF}
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Suite Activation Assistant-->MsiExec.exe /X{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Mozilla Firefox (3.6.12)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MyToshiba-->MsiExec.exe /X{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}
PlayReady PC Runtime x86-->MsiExec.exe /X{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}
Quickbooks Financial Center-->C:\Program Files\InstallShield Installation Information\{3B843B38-04B1-4CE6-8888-586273E0F289}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek 8136 8168 8169 Ethernet Driver-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
Realtek USB 2.0 Card Reader-->"C:\Program Files\InstallShield Installation Information\{96AE7E41-E34E-47D0-AC07-1091A8127911}\Setup.exe" -runfromtemp -l0x0009 -removeonly
Realtek WLAN Driver-->MsiExec.exe /X{0FB630AB-7BD8-40AE-B223-60397D57C3C9}
Skype Launcher-->C:\Program Files\InstallShield Installation Information\{DA84ECBF-4B79-47F2-B34C-95C38484C058}\setup.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver-->rundll32.exe "%ProgramFiles%\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Toshiba Application and Driver Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}\setup.exe" -l0x9 -removeonly
TOSHIBA Assist-->C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA ConfigFree-->MsiExec.exe /X{F3529665-D75E-4D6D-98F0-745C78C68E9B}
TOSHIBA Disc Creator-->MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA DVD PLAYER-->C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
TOSHIBA Extended Tiles for Windows Mobility Center-->C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe -runfromtemp -l0x0409
TOSHIBA Flash Cards Support Utility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{620BBA5E-F848-4D56-8BDA-584E44584C5E}
TOSHIBA Flash Cards Support Utility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{620BBA5E-F848-4D56-8BDA-584E44584C5E}
TOSHIBA Hardware Setup-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Hardware Setup-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA HDD/SSD Alert-->C:\Program Files\InstallShield Installation Information\{D4322448-B6AF-4316-B859-D8A0E84DCB38}\setup.exe -runfromtemp -l0x0409
TOSHIBA HDD/SSD Alert-->C:\Program Files\InstallShield Installation Information\{D4322448-B6AF-4316-B859-D8A0E84DCB38}\setup.exe -runfromtemp -l0x0409
Toshiba Online Backup-->MsiExec.exe /X{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}
Toshiba Quality Application-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E69992ED-A7F6-406C-9280-1C156417BC49}\setup.exe" -l0x9 -removeonly
TOSHIBA Recovery Media Creator-->MsiExec.exe /X{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}
TOSHIBA Service Station-->C:\Program Files\InstallShield Installation Information\{AC6569FA-6919-442A-8552-073BE69E247A}\setup.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA Speech System Applications-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
TOSHIBA Supervisor Password-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
TOSHIBA Value Added Package-->C:\Program Files\TOSHIBA\TVAP\Setup.exe
ToshibaRegistration-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AF550B4-BB67-4E7E-82F1-2C4300279050}\setup.exe" -l0x9 -removeonly
WildTangent Games-->"C:\Program Files\TOSHIBA Games\Uninstall.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}

======Hosts File======

127.0.0.1 localhost

======System event log======

Computer Name: Rachel-PC
Event Code: 1014
Message: Name resolution for the name ig.gmodules.com timed out after none of the configured DNS servers responded.
Record Number: 1974
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20091225190604.238777-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Rachel-PC
Event Code: 1014
Message: Name resolution for the name isatap.Belkin timed out after none of the configured DNS servers responded.
Record Number: 1969
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20091225190516.878813-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Rachel-PC
Event Code: 1014
Message: Name resolution for the name wpad.Belkin timed out after none of the configured DNS servers responded.
Record Number: 1912
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20091225145055.945634-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Rachel-PC
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 1800
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20091206004633.848804-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Rachel-PC
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 1648
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20091117061852.974872-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: Rachel-PC
Event Code: 0
Message: Skipping empty element [tsu:setup_args]
Record Number: 18656
Source Name: TOSHIBA Service Station
Time Written: 20100303231721.000000-000
Event Type: Warning
User:

Computer Name: Rachel-PC
Event Code: 0
Message: Skipping empty element [tsu:setup_args]
Record Number: 18655
Source Name: TOSHIBA Service Station
Time Written: 20100303231721.000000-000
Event Type: Warning
User:

Computer Name: Rachel-PC
Event Code: 0
Message: Skipping empty element [tsu:setup_args]
Record Number: 18654
Source Name: TOSHIBA Service Station
Time Written: 20100303231721.000000-000
Event Type: Warning
User:

Computer Name: Rachel-PC
Event Code: 0
Message: Skipping empty element [tsu:setup_args]
Record Number: 18653
Source Name: TOSHIBA Service Station
Time Written: 20100303231721.000000-000
Event Type: Warning
User:

Computer Name: Rachel-PC
Event Code: 0
Message: Skipping empty element [tsu:setup_args]
Record Number: 18652
Source Name: TOSHIBA Service Station
Time Written: 20100303231721.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: WIN-HE5P7EE4F8O
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-HE5P7EE4F8O$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x210
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 397
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091117061849.308866-000
Event Type: Audit Success
User:

Computer Name: WIN-HE5P7EE4F8O
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 396
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091117061838.810047-000
Event Type: Audit Success
User:

Computer Name: WIN-HE5P7EE4F8O
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-HE5P7EE4F8O$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x210
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 395
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091117061838.810047-000
Event Type: Audit Success
User:

Computer Name: WIN-HE5P7EE4F8O
Event Code: 4738
Message: A user account was changed.

Subject:
Security ID: S-1-5-21-2834690935-201407029-890594130-500
Account Name: Administrator
Account Domain: WIN-HE5P7EE4F8O
Logon ID: 0x1ffbc

Target Account:
Security ID: S-1-5-21-2834690935-201407029-890594130-500
Account Name: Administrator
Account Domain: WIN-HE5P7EE4F8O

Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x211
New UAC Value: 0x211
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -

Additional Information:
Privileges: -
Record Number: 394
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091117061828.389229-000
Event Type: Audit Success
User:

Computer Name: WIN-HE5P7EE4F8O
Event Code: 1102
Message: The audit log was cleared.
Subject:
Security ID: S-1-5-21-2834690935-201407029-890594130-500
Account Name: Administrator
Domain Name: WIN-HE5P7EE4F8O
Logon ID: 0x1ffbc
Record Number: 393
Source Name: Microsoft-Windows-Eventlog
Time Written: 20091117061828.186429-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=1
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a

-----------------EOF-----------------


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-26 17:14:17
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\iaStor0 Hitachi_ rev.PB2O
Running: ycjdmfel.exe; Driver: C:\Users\Rachel\AppData\Local\Temp\kwtyqpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8DB8079E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8DB80738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8DB8074C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8DB80762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8DB807DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8DB8081F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8DB80710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8DB80724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8DB807B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8DB80833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8DB8078A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8DB80776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8DB8080B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8DB807F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8DB807C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82A7D148 5 Bytes JMP 8DB807CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A95599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB9F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.rsrc C:\windows\system32\DRIVERS\volsnap.sys entry point in ".rsrc" section [0x88969014]
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88979000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x889BE000, 0x3DC, 0x48000040]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\system32\services.exe[572] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 003A0F2E
.text C:\windows\system32\services.exe[572] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 003A0EF1
.text C:\windows\system32\services.exe[572] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 003A0F0C
.text C:\windows\system32\services.exe[572] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 003A0014
.text C:\windows\system32\services.exe[572] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 003A0F3F
.text C:\windows\system32\services.exe[572] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 003A0F61
.text C:\windows\system32\services.exe[572] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 003A0F7C
.text C:\windows\system32\services.exe[572] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 003A0F97
.text C:\windows\system32\services.exe[572] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 003A0FD4
.text C:\windows\system32\services.exe[572] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 003A00A1
.text C:\windows\system32\services.exe[572] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 003A002F
.text C:\windows\system32\services.exe[572] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 003A0FA8
.text C:\windows\system32\services.exe[572] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 003A0FE5
.text C:\windows\system32\services.exe[572] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 003A0F1D
.text C:\windows\system32\services.exe[572] kernel32.dll!CreateNamedPipeA 75E8D5BF 1 Byte [E9]
.text C:\windows\system32\services.exe[572] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 003A0FC3
.text C:\windows\system32\services.exe[572] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 003A0086
.text C:\windows\system32\services.exe[572] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 003A0F50
.text C:\windows\system32\services.exe[572] msvcrt.dll!_open 75F17E48 5 Bytes JMP 003F0FEF
.text C:\windows\system32\services.exe[572] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 003F0FB2
.text C:\windows\system32\services.exe[572] msvcrt.dll!system 75F4B16F 5 Bytes JMP 003F0FC3
.text C:\windows\system32\services.exe[572] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 003F0029
.text C:\windows\system32\services.exe[572] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 003F0FDE
.text C:\windows\system32\services.exe[572] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 003F0018
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00020000
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00020051
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00020FC0
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00020062
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00020FE5
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00020FAF
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 0002001B
.text C:\windows\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00020036
.text C:\windows\system32\services.exe[572] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00350FEF
.text C:\windows\system32\services.exe[572] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 0035000A
.text C:\windows\system32\services.exe[572] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 0035001B
.text C:\windows\system32\services.exe[572] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00350FCA
.text C:\windows\system32\services.exe[572] WS2_32.dll!socket 75933F00 5 Bytes JMP 00580000
.text C:\windows\system32\lsass.exe[580] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 001300C4
.text C:\windows\system32\lsass.exe[580] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00130101
.text C:\windows\system32\lsass.exe[580] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 00130F6C
.text C:\windows\system32\lsass.exe[580] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 00130FCA
.text C:\windows\system32\lsass.exe[580] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 001300B3
.text C:\windows\system32\lsass.exe[580] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 0013008E
.text C:\windows\system32\lsass.exe[580] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00130073
.text C:\windows\system32\lsass.exe[580] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 00130058
.text C:\windows\system32\lsass.exe[580] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 00130FE5
.text C:\windows\system32\lsass.exe[580] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 0013011C
.text C:\windows\system32\lsass.exe[580] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 0013002C
.text C:\windows\system32\lsass.exe[580] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 00130047
.text C:\windows\system32\lsass.exe[580] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 0013000A
.text C:\windows\system32\lsass.exe[580] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 001300D5
.text C:\windows\system32\lsass.exe[580] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 0013001B
.text C:\windows\system32\lsass.exe[580] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 001300E6
.text C:\windows\system32\lsass.exe[580] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 00130F9B
.text C:\windows\system32\lsass.exe[580] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00690FEF
.text C:\windows\system32\lsass.exe[580] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00690047
.text C:\windows\system32\lsass.exe[580] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00690036
.text C:\windows\system32\lsass.exe[580] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00690FC6
.text C:\windows\system32\lsass.exe[580] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 0069001B
.text C:\windows\system32\lsass.exe[580] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00690000
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00110000
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00110047
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00110058
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00110FB6
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00110FE5
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00110073
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 0011001B
.text C:\windows\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 0011002C
.text C:\windows\system32\lsass.exe[580] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00120FEF
.text C:\windows\system32\lsass.exe[580] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 00120014
.text C:\windows\system32\lsass.exe[580] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00120025
.text C:\windows\system32\lsass.exe[580] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00120FD4
.text C:\windows\system32\lsass.exe[580] WS2_32.dll!socket 75933F00 5 Bytes JMP 00100FE5
.text C:\windows\system32\svchost.exe[692] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 00600F83
.text C:\windows\system32\svchost.exe[692] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00600111
.text C:\windows\system32\svchost.exe[692] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 006000F6
.text C:\windows\system32\svchost.exe[692] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 00600040
.text C:\windows\system32\svchost.exe[692] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 006000AC
.text C:\windows\system32\svchost.exe[692] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 00600F9E
.text C:\windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00600076
.text C:\windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 00600FB9
.text C:\windows\system32\svchost.exe[692] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 0060000A
.text C:\windows\system32\svchost.exe[692] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 00600F61
.text C:\windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 00600FD4
.text C:\windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 0060005B
.text C:\windows\system32\svchost.exe[692] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 00600FEF
.text C:\windows\system32\svchost.exe[692] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 00600F72
.text C:\windows\system32\svchost.exe[692] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 0060002F
.text C:\windows\system32\svchost.exe[692] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 006000DB
.text C:\windows\system32\svchost.exe[692] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 0060009B
.text C:\windows\system32\svchost.exe[692] msvcrt.dll!_open 75F17E48 5 Bytes JMP 0061000C
.text C:\windows\system32\svchost.exe[692] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00610038
.text C:\windows\system32\svchost.exe[692] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00610027
.text C:\windows\system32\svchost.exe[692] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00610FC8
.text C:\windows\system32\svchost.exe[692] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00610FB7
.text C:\windows\system32\svchost.exe[692] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00610FEF
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 005A0000
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 005A0FB9
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 005A0F83
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 005A0F9E
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 005A0011
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 005A0F68
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 005A0FDB
.text C:\windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 005A0FCA
.text C:\windows\system32\svchost.exe[692] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 005F0000
.text C:\windows\system32\svchost.exe[692] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 005F0011
.text C:\windows\system32\svchost.exe[692] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 005F0FD1
.text C:\windows\system32\svchost.exe[692] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 005F0022
.text C:\windows\system32\svchost.exe[692] WS2_32.dll!socket 75933F00 5 Bytes JMP 0059000A
.text C:\windows\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 0027007D
.text C:\windows\system32\svchost.exe[760] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00270F03
.text C:\windows\system32\svchost.exe[760] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 00270098
.text C:\windows\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 00270FB9
.text C:\windows\system32\svchost.exe[760] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 00270F54
.text C:\windows\system32\svchost.exe[760] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 00270F80
.text C:\windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00270062
.text C:\windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 00270047
.text C:\windows\system32\svchost.exe[760] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 00270014
.text C:\windows\system32\svchost.exe[760] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 002700B3
.text C:\windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 00270025
.text C:\windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 00270036
.text C:\windows\system32\svchost.exe[760] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 00270FEF
.text C:\windows\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 00270F2F
.text C:\windows\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 00270FD4
.text C:\windows\system32\svchost.exe[760] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 00270F14
.text C:\windows\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 00270F6F
.text C:\windows\system32\svchost.exe[760] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00280000
.text C:\windows\system32\svchost.exe[760] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 0028003F
.text C:\windows\system32\svchost.exe[760] msvcrt.dll!system 75F4B16F 5 Bytes JMP 0028002E
.text C:\windows\system32\svchost.exe[760] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 0028001D
.text C:\windows\system32\svchost.exe[760] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00280FC8
.text C:\windows\system32\svchost.exe[760] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00280FE3
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 001C0FE5
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 001C0022
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 001C0F76
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 001C0F91
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 001C0FD4
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 001C0F65
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 001C0000
.text C:\windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 001C0011
.text C:\windows\system32\svchost.exe[760] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00210000
.text C:\windows\system32\svchost.exe[760] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 0021001B
.text C:\windows\system32\svchost.exe[760] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00210FE5
.text C:\windows\system32\svchost.exe[760] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 0021002C
.text C:\windows\system32\svchost.exe[760] WS2_32.dll!socket 75933F00 5 Bytes JMP 00170000
.text C:\windows\System32\svchost.exe[808] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 00AE0F7C
.text C:\windows\System32\svchost.exe[808] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00AE00FD
.text C:\windows\System32\svchost.exe[808] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 00AE00EC
.text C:\windows\System32\svchost.exe[808] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 00AE001B
.text C:\windows\System32\svchost.exe[808] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 00AE0F8D
.text C:\windows\System32\svchost.exe[808] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 00AE0087
.text C:\windows\System32\svchost.exe[808] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00AE0076
.text C:\windows\System32\svchost.exe[808] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 00AE005B
.text C:\windows\System32\svchost.exe[808] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 00AE0FE5
.text C:\windows\System32\svchost.exe[808] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 00AE0118
.text C:\windows\System32\svchost.exe[808] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 00AE0FB9
.text C:\windows\System32\svchost.exe[808] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 00AE0040
.text C:\windows\System32\svchost.exe[808] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 00AE0000
.text C:\windows\System32\svchost.exe[808] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 00AE00B6
.text C:\windows\System32\svchost.exe[808] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 00AE0FCA
.text C:\windows\System32\svchost.exe[808] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 00AE00C7
.text C:\windows\System32\svchost.exe[808] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 00AE0F9E
.text C:\windows\System32\svchost.exe[808] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00AF0000
.text C:\windows\System32\svchost.exe[808] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00AF0047
.text C:\windows\System32\svchost.exe[808] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00AF0FBC
.text C:\windows\System32\svchost.exe[808] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00AF0022
.text C:\windows\System32\svchost.exe[808] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00AF0FD7
.text C:\windows\System32\svchost.exe[808] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00AF0011
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00A80FEF
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00A8002F
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00A8004A
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00A80FA8
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00A80FD4
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00A8005B
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 00A8000A
.text C:\windows\System32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00A80FC3
.text C:\windows\System32\svchost.exe[808] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00AD0FEF
.text C:\windows\System32\svchost.exe[808] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 00AD0000
.text C:\windows\System32\svchost.exe[808] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00AD0011
.text C:\windows\System32\svchost.exe[808] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00AD002C
.text C:\windows\System32\svchost.exe[808] WS2_32.dll!socket 75933F00 5 Bytes JMP 00A70FEF
.text C:\windows\System32\svchost.exe[920] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 009C0F21
.text C:\windows\System32\svchost.exe[920] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 009C0EBF
.text C:\windows\System32\svchost.exe[920] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 009C0ED0
.text C:\windows\System32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 009C0FD4
.text C:\windows\System32\svchost.exe[920] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 009C0F32
.text C:\windows\System32\svchost.exe[920] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 009C0F54
.text C:\windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 009C0F79
.text C:\windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 009C0F8A
.text C:\windows\System32\svchost.exe[920] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 009C0011
.text C:\windows\System32\svchost.exe[920] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 009C0EA4
.text C:\windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 009C0036
.text C:\windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 009C0FA5
.text C:\windows\System32\svchost.exe[920] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 009C0000
.text C:\windows\System32\svchost.exe[920] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 009C0F06
.text C:\windows\System32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 009C0FE5
.text C:\windows\System32\svchost.exe[920] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 009C0EEB
.text C:\windows\System32\svchost.exe[920] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 009C0F43
.text C:\windows\System32\svchost.exe[920] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00A10000
.text C:\windows\System32\svchost.exe[920] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00A10FD4
.text C:\windows\System32\svchost.exe[920] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00A10FE5
.text C:\windows\System32\svchost.exe[920] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00A1003A
.text C:\windows\System32\svchost.exe[920] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00A1005F
.text C:\windows\System32\svchost.exe[920] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00A10029
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00960000
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00960051
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 0096006C
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00960FCA
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00960FE5
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00960FB9
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 00960025
.text C:\windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00960040
.text C:\windows\System32\svchost.exe[920] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 0097000A
.text C:\windows\System32\svchost.exe[920] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 0097001B
.text C:\windows\System32\svchost.exe[920] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00970FE5
.text C:\windows\System32\svchost.exe[920] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00970036
.text C:\windows\System32\svchost.exe[920] WS2_32.dll!socket 75933F00 5 Bytes JMP 008C0FE5
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 001E0F39
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 001E0EE1
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 001E0EF2
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 001E0FDE
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 001E0F4A
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 001E0062
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 001E0F94
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 001E0051
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 001E0025
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 001E0EC6
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 001E0FC3
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 001E0040
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 001E0000
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 001E0F1E
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 001E0FEF
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 001E0F03
.text C:\windows\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 001E0F65
.text C:\windows\system32\svchost.exe[1108] msvcrt.dll!_open 75F17E48 5 Bytes JMP 001F0000
.text C:\windows\system32\svchost.exe[1108] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 001F0FC3
.text C:\windows\system32\svchost.exe[1108] msvcrt.dll!system 75F4B16F 5 Bytes JMP 001F0058
.text C:\windows\system32\svchost.exe[1108] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 001F0022
.text C:\windows\system32\svchost.exe[1108] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 001F0047
.text C:\windows\system32\svchost.exe[1108] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 001F0011
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 000D0FE5
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 000D002F
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 000D0F97
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 000D0FA8
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 000D0FCA
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 000D0F86
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 000D0FB9
.text C:\windows\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 000D0014
.text C:\windows\system32\svchost.exe[1108] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 001D0FEF
.text C:\windows\system32\svchost.exe[1108] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 001D0000
.text C:\windows\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 001D0011
.text C:\windows\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 001D0FC0
.text C:\windows\system32\svchost.exe[1108] WS2_32.dll!socket 75933F00 5 Bytes JMP 0048000A
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 004C0F57
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 004C00B6
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 004C0F21
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 004C0FCA
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 004C0F72
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 004C0F83
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 004C005B
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 004C0F9E
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 004C000A
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 004C0F06
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 004C0FB9
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 004C0036
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 004C0FEF
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 004C009B
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 004C001B
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 004C0F32
.text C:\windows\system32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 004C0076
.text C:\windows\system32\svchost.exe[1260] msvcrt.dll!_open 75F17E48 5 Bytes JMP 004D0FEF
.text C:\windows\system32\svchost.exe[1260] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 004D005A
.text C:\windows\system32\svchost.exe[1260] msvcrt.dll!system 75F4B16F 5 Bytes JMP 004D0049
.text C:\windows\system32\svchost.exe[1260] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 004D001D
.text C:\windows\system32\svchost.exe[1260] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 004D0038
.text C:\windows\system32\svchost.exe[1260] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 004D000C
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00460FE5
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00460025
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00460040
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00460F94
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00460000
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00460F83
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 00460FCA
.text C:\windows\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00460FAF
.text C:\windows\system32\svchost.exe[1260] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00470FEF
.text C:\windows\system32\svchost.exe[1260] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 0047000A
.text C:\windows\system32\svchost.exe[1260] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00470FD4
.text C:\windows\system32\svchost.exe[1260] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00470FC3
.text C:\windows\system32\svchost.exe[1260] WS2_32.dll!socket 75933F00 5 Bytes JMP 00310000
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 00A10F68
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00A100C0
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 00A10F2B
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 00A10FC3
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 00A1009B
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 00A10F8D
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00A1005B
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 00A10F9E
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 00A10FDE
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 00A10F10
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 00A10025
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 00A10040
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 00A10FEF
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 00A10F57
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 00A1000A
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 00A10F46
.text C:\windows\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 00A10076
.text C:\windows\system32\svchost.exe[1408] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00A60000
.text C:\windows\system32\svchost.exe[1408] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00A60FB7
.text C:\windows\system32\svchost.exe[1408] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00A60FC8
.text C:\windows\system32\svchost.exe[1408] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00A60027
.text C:\windows\system32\svchost.exe[1408] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00A60042
.text C:\windows\system32\svchost.exe[1408] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00A60FE3
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 009B0FEF
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 009B0F97
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 009B0F61
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 009B0F7C
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 009B0FD4
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 009B001E
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 009B0FC3
.text C:\windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 009B0FB2
.text C:\windows\system32\svchost.exe[1408] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00A00FEF
.text C:\windows\system32\svchost.exe[1408] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 00A00FD4
.text C:\windows\system32\svchost.exe[1408] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00A00FB9
.text C:\windows\system32\svchost.exe[1408] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00A00FA8
.text C:\windows\system32\svchost.exe[1408] WS2_32.dll!socket 75933F00 5 Bytes JMP 009A0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1552] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1552] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\windows\system32\wuauclt.exe[1792] ntdll.dll!NtProtectVirtualMemory 76F95360 5 Bytes JMP 0033000A
.text C:\windows\system32\wuauclt.exe[1792] ntdll.dll!NtWriteVirtualMemory 76F95EE0 5 Bytes JMP 0034000A
.text C:\windows\system32\wuauclt.exe[1792] ntdll.dll!KiUserExceptionDispatcher 76F96448 5 Bytes JMP 0032000A
.text C:\windows\system32\wuauclt.exe[1792] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00110000
.text C:\windows\system32\wuauclt.exe[1792] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00110064
.text C:\windows\system32\wuauclt.exe[1792] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00110053
.text C:\windows\system32\wuauclt.exe[1792] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 0011001D
.text C:\windows\system32\wuauclt.exe[1792] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00110042
.text C:\windows\system32\wuauclt.exe[1792] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00110FEF
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00120000
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00120051
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00120073
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00120062
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 0012001B
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00120FB6
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 00120FE5
.text C:\windows\system32\wuauclt.exe[1792] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00120040
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ntdll.dll!NtProtectVirtualMemory 76F95360 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ntdll.dll!NtWriteVirtualMemory 76F95EE0 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ntdll.dll!KiUserExceptionDispatcher 76F96448 5 Bytes JMP 00DC000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 000F0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 000F0036
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 000F0F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 000F0FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 000F0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 000F0F83
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 000F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 000F0025
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00100FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00100036
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00100025
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00100FB5
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00100014
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00100FC6
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!CreateDialogParamW 770B9BFF 5 Bytes JMP 6CEEC570 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!EnableWindow 770BA72E 5 Bytes JMP 6CEEC4EB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!GetAsyncKeyState 770BC09A 5 Bytes JMP 6CEAD6E9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!UnhookWindowsHookEx 770BCC7B 5 Bytes JMP 6CFA838A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!CallNextHookEx 770BCC8F 5 Bytes JMP 6CF89D7C C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!CreateWindowExW 770C0E51 5 Bytes JMP 6CF98187 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!SetWindowsHookExW 770C210A 5 Bytes JMP 6CF44633 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!GetKeyState 770C4FDA 5 Bytes JMP 6CEED762 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!IsDialogMessageW 770C6F06 5 Bytes JMP 6CEB4284 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!CreateDialogParamA 770D3E79 5 Bytes JMP 6D0C0A6C C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!IsDialogMessage 770D407A 5 Bytes JMP 6D0C030D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!CreateDialogIndirectParamA 770D9110 5 Bytes JMP 6D0C0AA3 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!CreateDialogIndirectParamW 770E08AD 5 Bytes JMP 6D0C0ADA C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!DialogBoxIndirectParamW 770E4AA7 5 Bytes JMP 6D0BFE50 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!EndDialog 770E555C 5 Bytes JMP 6CEB5AE9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!DialogBoxParamW 770E564A 5 Bytes JMP 6CEB4BA7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!SetKeyboardState 770E6B52 5 Bytes JMP 6D0C0672 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!SendInput 770E7055 5 Bytes JMP 6D0C1238 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!SetCursorPos 770FC1D8 5 Bytes JMP 6D0C1290 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!DialogBoxParamA 770FCF6A 5 Bytes JMP 6D0BFDED C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!DialogBoxIndirectParamA 770FD29C 5 Bytes JMP 6D0BFEB3 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!MessageBoxIndirectA 7710E8C9 5 Bytes JMP 6D0BFD82 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!MessageBoxIndirectW 7710E9C3 5 Bytes JMP 6D0BFD17 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!MessageBoxExA 7710EA29 5 Bytes JMP 6D0BFCB5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!MessageBoxExW 7710EA4D 5 Bytes JMP 6D0BFC53 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] USER32.dll!keybd_event 7710EC9B 5 Bytes JMP 6D0C15C3 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] SHELL32.dll!SHChangeNotification_Lock + 45BA 7639B440 4 Bytes [11, 36, 13, 72]
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] SHELL32.dll!SHChangeNotification_Lock + 45C2 7639B448 8 Bytes [5F, 35, 13, 72, D0, 73, 12, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ole32.dll!OleLoadFromStream 75FF5BF6 5 Bytes JMP 6D0C01C9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2284] ole32.dll!CoCreateInstance 7604590C 5 Bytes JMP 6CF98C75 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 000C008A
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 000C0F3C
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 000C00D1
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 000C001B
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 000C0F61
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 000C0065
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 000C0F8D
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 000C0F9E
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 000C0FCA
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 000C0F2B
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 000C002C
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 000C0FAF
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 000C0FEF
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 000C009B
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 000C000A
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 000C00B6
.text C:\windows\system32\svchost.exe[2356] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 000C0F72
.text C:\windows\system32\svchost.exe[2356] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00150FEF
.text C:\windows\system32\svchost.exe[2356] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 0015005A
.text C:\windows\system32\svchost.exe[2356] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00150049
.text C:\windows\system32\svchost.exe[2356] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 0015001D
.text C:\windows\system32\svchost.exe[2356] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00150038
.text C:\windows\system32\svchost.exe[2356] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 0015000C
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00160000
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00160FCA
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00160FB9
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 0016005B
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00160025
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00160080
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 00160FE5
.text C:\windows\system32\svchost.exe[2356] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00160040
.text C:\windows\system32\svchost.exe[2356] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00230FEF
.text C:\windows\system32\svchost.exe[2356] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 00230FDE
.text C:\windows\system32\svchost.exe[2356] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 0023000A
.text C:\windows\system32\svchost.exe[2356] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00230FB9
.text C:\windows\system32\svchost.exe[2356] WS2_32.dll!socket 75933F00 5 Bytes JMP 00010000
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 00070F54
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00070F06
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 00070F17
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 0007003D
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 00070F6F
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 0007007D
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00070F9B
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 00070FC0
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 00070011
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 00070EEB
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 0007004E
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 00070FD1
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 00070000
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 00070F43
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 0007002C
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 00070F32
.text C:\windows\system32\svchost.exe[2524] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 00070F8A
.text C:\windows\system32\svchost.exe[2524] msvcrt.dll!_open 75F17E48 5 Bytes JMP 0009000C
.text C:\windows\system32\svchost.exe[2524] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00090081
.text C:\windows\system32\svchost.exe[2524] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00090070
.text C:\windows\system32\svchost.exe[2524] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 0009003A
.text C:\windows\system32\svchost.exe[2524] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00090055
.text C:\windows\system32\svchost.exe[2524] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 0009001D
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 000A0000
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 000A002F
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 000A005B
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 000A004A
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 000A0FE5
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 000A0076
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 000A0FD4
.text C:\windows\system32\svchost.exe[2524] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 000A0FC3
.text C:\windows\system32\svchost.exe[2524] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00160FE5
.text C:\windows\system32\svchost.exe[2524] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 00160000
.text C:\windows\system32\svchost.exe[2524] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00160011
.text C:\windows\system32\svchost.exe[2524] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00160022
.text C:\windows\system32\svchost.exe[2524] WS2_32.dll!socket 75933F00 5 Bytes JMP 00010000
.text C:\windows\Explorer.EXE[2728] ntdll.dll!NtProtectVirtualMemory 76F95360 5 Bytes JMP 0051000A
.text C:\windows\Explorer.EXE[2728] ntdll.dll!NtWriteVirtualMemory 76F95EE0 5 Bytes JMP 0052000A
.text C:\windows\Explorer.EXE[2728] ntdll.dll!KiUserExceptionDispatcher 76F96448 5 Bytes JMP 0050000A
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00090000
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00090040
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00090FAF
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00090051
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00090FEF
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 0009006C
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 00090025
.text C:\windows\Explorer.EXE[2728] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00090FD4
.text C:\windows\Explorer.EXE[2728] msvcrt.dll!_open 75F17E48 5 Bytes JMP 000A0FE3
.text C:\windows\Explorer.EXE[2728] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 000A0F95
.text C:\windows\Explorer.EXE[2728] msvcrt.dll!system 75F4B16F 5 Bytes JMP 000A0FA6
.text C:\windows\Explorer.EXE[2728] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 000A0FC1
.text C:\windows\Explorer.EXE[2728] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 000A0016
.text C:\windows\Explorer.EXE[2728] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 000A0FD2
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 00070F6F
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00070F25
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 000700C4
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 00070025
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 000700A2
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 00070076
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00070065
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 0007004A
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 0007000A
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 00070F14
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 00070FB9
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 00070FA8
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 00070FEF
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 000700B3
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 00070FD4
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 00070F54
.text C:\windows\system32\svchost.exe[2804] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 00070087
.text C:\windows\system32\svchost.exe[2804] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00090000
.text C:\windows\system32\svchost.exe[2804] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00090044
.text C:\windows\system32\svchost.exe[2804] msvcrt.dll!system 75F4B16F 5 Bytes JMP 00090FAF
.text C:\windows\system32\svchost.exe[2804] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00090FEF
.text C:\windows\system32\svchost.exe[2804] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00090FCA
.text C:\windows\system32\svchost.exe[2804] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00090029
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 000A0000
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 000A002C
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 000A004E
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 000A003D
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 000A0FE5
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 000A0F87
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 000A0FC0
.text C:\windows\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 000A001B
.text C:\windows\system32\svchost.exe[2804] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 001A0FE5
.text C:\windows\system32\svchost.exe[2804] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 001A0000
.text C:\windows\system32\svchost.exe[2804] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 001A0FCA
.text C:\windows\system32\svchost.exe[2804] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 001A0FAF
.text C:\windows\system32\svchost.exe[2804] WS2_32.dll!socket 75933F00 5 Bytes JMP 00010000
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!GetStartupInfoA 75E01DF0 5 Bytes JMP 000700AC
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!CreateProcessW 75E0202D 5 Bytes JMP 00070F5E
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!CreateProcessA 75E02062 5 Bytes JMP 000700F3
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!CreateNamedPipeW 75E31FD6 5 Bytes JMP 00070040
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!CreatePipe 75E34A8B 5 Bytes JMP 00070F8D
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!VirtualProtect 75E450AB 5 Bytes JMP 00070091
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!LoadLibraryExW 75E4B6BF 5 Bytes JMP 00070076
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!LoadLibraryExA 75E4BC8B 5 Bytes JMP 00070FB9
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!CreateFileW 75E50B7D 5 Bytes JMP 0007001B
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!GetProcAddress 75E51857 5 Bytes JMP 0007010E
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!LoadLibraryA 75E52884 5 Bytes JMP 00070FD4
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!LoadLibraryW 75E528D2 5 Bytes JMP 00070051
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!CreateFileA 75E5291C 5 Bytes JMP 00070000
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!GetStartupInfoW 75E57CD5 5 Bytes JMP 000700BD
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!CreateNamedPipeA 75E8D5BF 5 Bytes JMP 00070FEF
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!WinExec 75E8E76D 5 Bytes JMP 000700D8
.text C:\windows\system32\svchost.exe[3568] kernel32.dll!VirtualProtectEx 75E8F729 5 Bytes JMP 00070F9E
.text C:\windows\system32\svchost.exe[3568] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00090000
.text C:\windows\system32\svchost.exe[3568] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 00090FAD
.text C:\windows\system32\svchost.exe[3568] msvcrt.dll!system 75F4B16F 5 Bytes JMP 0009002E
.text C:\windows\system32\svchost.exe[3568] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 0009001D
.text C:\windows\system32\svchost.exe[3568] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 00090FC8
.text C:\windows\system32\svchost.exe[3568] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00090FEF
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 000C000A
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 000C004A
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 000C0FA8
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 000C0FB9
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 000C0FEF
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 000C0F97
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 000C0025
.text C:\windows\system32\svchost.exe[3568] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 000C0FD4
.text C:\windows\system32\svchost.exe[3568] WININET.dll!InternetOpenA 75D27DDC 5 Bytes JMP 00380FEF
.text C:\windows\system32\svchost.exe[3568] WININET.dll!InternetOpenW 75D29D60 5 Bytes JMP 00380000
.text C:\windows\system32\svchost.exe[3568] WININET.dll!InternetOpenUrlA 75D2DBD8 5 Bytes JMP 00380FCA
.text C:\windows\system32\svchost.exe[3568] WININET.dll!InternetOpenUrlW 75D7DCB0 5 Bytes JMP 00380FAF
.text C:\windows\system32\svchost.exe[3568] WS2_32.dll!socket 75933F00 5 Bytes JMP 00010FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ntdll.dll!NtProtectVirtualMemory 76F95360 5 Bytes JMP 006B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ntdll.dll!NtWriteVirtualMemory 76F95EE0 5 Bytes JMP 006C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ntdll.dll!KiUserExceptionDispatcher 76F96448 5 Bytes JMP 006A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegOpenKeyA 75C6D2ED 5 Bytes JMP 00080000
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegCreateKeyA 75C6D3C1 5 Bytes JMP 00080040
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegCreateKeyExA 75C71B71 5 Bytes JMP 00080FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegCreateKeyW 75C71CC0 5 Bytes JMP 00080065
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegOpenKeyW 75C73129 5 Bytes JMP 00080FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegCreateKeyExW 75C7B946 5 Bytes JMP 00080FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegOpenKeyExA 75C7BC0D 5 Bytes JMP 0008001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ADVAPI32.dll!RegOpenKeyExW 75C7BEC4 5 Bytes JMP 00080FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] msvcrt.dll!_open 75F17E48 5 Bytes JMP 00200FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] msvcrt.dll!_wsystem 75F4B04F 5 Bytes JMP 0020005C
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] msvcrt.dll!system 75F4B16F 5 Bytes JMP 0020004B
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] msvcrt.dll!_creat 75F4ED29 5 Bytes JMP 00200029
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] msvcrt.dll!_wcreat 75F5038E 5 Bytes JMP 0020003A
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] msvcrt.dll!_wopen 75F50570 5 Bytes JMP 00200018
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!CreateWindowExW 770C0E51 5 Bytes JMP 6CF98187 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxIndirectParamW 770E4AA7 5 Bytes JMP 6D0BFE50 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxParamW 770E564A 5 Bytes JMP 6CEB4BA7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxParamA 770FCF6A 5 Bytes JMP 6D0BFDED C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxIndirectParamA 770FD29C 5 Bytes JMP 6D0BFEB3 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxIndirectA 7710E8C9 5 Bytes JMP 6D0BFD82 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxIndirectW 7710E9C3 5 Bytes JMP 6D0BFD17 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxExA 7710EA29 5 Bytes JMP 6D0BFCB5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxExW 7710EA4D 5 Bytes JMP 6D0BFC53 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 8626BAEA
Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 8626BAEA

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskHitachi_HTS545025B9A300_________________PB2OC64G#4&2f0449cb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 488396987 (+179): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\windows\system32\DRIVERS\volsnap.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:46 AM

Posted 26 November 2010 - 10:43 PM

Hello, scotts18.
Glad to help :)
Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.

 

We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • ClickMode and then on "Advanced Mode"
  • You may be presented with a warning dialog. If so, press yes
  • Click on Tools
  • Click on Resident
  • Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  • Close/Exit Spybot Search and Destroy


NEXT:

We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please go here and download combofix from one of the locations listed
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper,


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 scotts18

scotts18
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 November 2010 - 08:09 PM

Fortunately, this computer is only used for internet surfing and word processing. I would like to try to repair it until I have time to rebuild it. I have a couple of questions:

1. Can you tell specifically which backdoor trojan I have and how I might have been infected?
2. As you could probably tell, I am running McAfee virus software and Windows Firewall. Is there further measures I could take to prevent being infected in the future?

Below is my ComboFix.txt. Thanks again for your help! This is a great service.

ComboFix 10-11-27.01 - Rachel 11/27/2010 18:49:03.1.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1179 [GMT -6:00]
Running from: c:\users\Rachel\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\windows\system32\wupd.dat

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 00:54 . 2010-11-28 00:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-28 00:47 . 2010-11-28 00:47 -------- d-----w- C:\32788R22FWJFW
2010-11-26 22:40 . 2010-11-26 22:40 -------- d-----w- C:\rsit
2010-11-26 22:40 . 2010-11-26 22:40 -------- d-----w- c:\program files\trend micro
2010-11-18 00:00 . 2010-11-18 00:00 -------- d-----w- c:\users\Rachel\AppData\Local\Mozilla
2010-11-17 01:34 . 2010-11-17 01:34 -------- d-----w- c:\windows\Sun
2010-11-16 22:36 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-11-16 00:54 . 2010-11-16 00:54 2 --shatr- c:\windows\winstart.bat
2010-11-16 00:54 . 2010-11-16 01:20 -------- d-----w- c:\program files\UnHackMe
2010-11-14 00:54 . 2010-11-14 00:54 -------- d-----w- c:\programdata\SITEguard
2010-11-14 00:53 . 2010-11-14 00:53 -------- d-----w- c:\program files\Common Files\iS3
2010-11-14 00:53 . 2010-11-16 01:02 -------- d-----w- c:\programdata\STOPzilla!
2010-11-13 23:34 . 2010-11-14 00:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-13 23:34 . 2010-11-13 23:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 04:30 . 2010-10-15 02:22 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28 . 2010-10-15 02:22 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22 . 2010-10-15 02:22 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48 . 2010-10-15 02:22 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23 . 2010-10-15 02:20 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34 . 2010-10-15 02:20 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32 . 2010-10-15 02:21 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32 . 2010-10-15 02:21 954288 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]
"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [x]
R0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]


--- Other Services/Drivers In Memory ---

*Deregistered* - kwtyqpob

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:37]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:37]

2010-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-07 18:22]

2010-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-07 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\ogl0cmuc.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Rachel\AppData\Local\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: Hitachi_ rev.PB2O -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8626BEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87816872; SUB DWORD [EBP-0x4], 0x8781612e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82A8E458] -> \Device\Harddisk0\DR0[0x862D5030]
3 CLASSPNP[0x8860459E] -> ntkrnlpa!IofCallDriver[0x82A8E458] -> \IAAStorageDevice-1[0x854A6028]
[0x86585818] -> IRP_MJ_CREATE -> 0x8626BEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskHitachi_HTS545025B9A300_________________PB2OC64G#4&2f0449cb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 488397166 (+179): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-11-27 18:57:34
ComboFix-quarantined-files.txt 2010-11-28 00:57

Pre-Run: 209,407,258,624 bytes free
Post-Run: 209,319,997,440 bytes free

- - End Of File - - C656884E97835EA4A8FE7E70D93CDFF2

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:46 AM

Posted 27 November 2010 - 09:24 PM

Hello, scotts18.

1. Can you tell specifically which backdoor trojan I have and how I might have been infected?

You've got the TDL3 rootkit (as visible on your GMER log). While TDL3 appears to be only focussed at redirects, there's no guarantee that it cannot steal password information because of rootkit capabilities.

As for how you got infected: It's really difficult to say. A random mis-click on an ad, rogue antivirus software, an exploit on a page, etc. are all possibilities.

2. As you could probably tell, I am running McAfee virus software and Windows Firewall. Is there further measures I could take to prevent being infected in the future?

I'll give you those tips once we're done cleaning. I have a finishing "speech" which provides a few good tips :)

We need to run a Combofix script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    http://www.bleepingcomputer.com/forums/topic361340.html
    
    TDL::
    C:\windows\system32\DRIVERS\volsnap.sys
    
    Collect::
    c:\windows\winstart.bat
    
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Now, drag and drop CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:

We need to run a Jotti scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Go to the Jotti website
  • When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    c:\windows\system32\drivers\is3srv.sys

  • Please post back the results of the scan in your next post.
**Note:If Jotti is busy, try the same at Virustotal
**Note: No logs will be produced. You can either copy/paste the results into your reply, or you can state the infection found (if any) and the scanner that found it


In your next reply, please include the following:
  • ComboFix.txt
  • Jotti Log(s)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 scotts18

scotts18
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 November 2010 - 11:45 PM

Below is my ComboFix.txt. I did not have the is3srv.sys file. I made sure that all system folders and hidden files were visible but still did not see that file.



ComboFix 10-11-27.01 - Rachel 11/27/2010 22:17:24.2.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1281 [GMT -6:00]
Running from: c:\users\Rachel\Desktop\ComboFix.exe
Command switches used :: c:\users\Rachel\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

file zipped: c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 04:23 . 2010-11-28 04:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-26 22:40 . 2010-11-26 22:40 -------- d-----w- C:\rsit
2010-11-26 22:40 . 2010-11-26 22:40 -------- d-----w- c:\program files\trend micro
2010-11-18 00:00 . 2010-11-18 00:00 -------- d-----w- c:\users\Rachel\AppData\Local\Mozilla
2010-11-17 01:34 . 2010-11-17 01:34 -------- d-----w- c:\windows\Sun
2010-11-16 22:36 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-11-16 00:54 . 2010-11-16 01:20 -------- d-----w- c:\program files\UnHackMe
2010-11-14 00:54 . 2010-11-14 00:54 -------- d-----w- c:\programdata\SITEguard
2010-11-14 00:53 . 2010-11-14 00:53 -------- d-----w- c:\program files\Common Files\iS3
2010-11-14 00:53 . 2010-11-16 01:02 -------- d-----w- c:\programdata\STOPzilla!
2010-11-13 23:34 . 2010-11-14 00:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-13 23:34 . 2010-11-13 23:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 04:30 . 2010-10-15 02:22 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28 . 2010-10-15 02:22 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22 . 2010-10-15 02:22 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48 . 2010-10-15 02:22 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23 . 2010-10-15 02:20 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34 . 2010-10-15 02:20 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32 . 2010-10-15 02:21 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32 . 2010-10-15 02:21 954288 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]
"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [x]
R0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:37]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:37]

2010-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-07 18:22]

2010-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-07 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\ogl0cmuc.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Rachel\AppData\Local\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: Hitachi_ rev.PB2O -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8626DEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87816872; SUB DWORD [EBP-0x4], 0x8781612e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82A77458] -> \Device\Harddisk0\DR0[0x862D6030]
3 CLASSPNP[0x885D059E] -> ntkrnlpa!IofCallDriver[0x82A77458] -> \IAAStorageDevice-1[0x854A1028]
[0x86559E90] -> IRP_MJ_CREATE -> 0x8626DEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskHitachi_HTS545025B9A300_________________PB2OC64G#4&2f0449cb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 488397166 (+183): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-11-27 22:25:53
ComboFix-quarantined-files.txt 2010-11-28 04:25
ComboFix2.txt 2010-11-28 00:57

Pre-Run: 209,524,678,656 bytes free
Post-Run: 209,505,169,408 bytes free

- - End Of File - - 1A30B825D3C40A95628BBE9B28608659

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:46 AM

Posted 27 November 2010 - 11:50 PM

Hello, scotts18.
Okay, no problem. Let's run another program to take care of your TDL3 infection. Then, we'll see what CF can do about that file.

We need to run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Double click TDSSKiller.exe
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected
  • Click Continue > Reboot now
  • Copy and paste the log in your next reply
    Note:A copy of the log will be saved automatically to the root of the drive (typically C:\)

NEXT:

We need to run a Combofix script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    http://www.bleepingcomputer.com/forums/topic361340.html
    
    Driver::
    is3srv
    
    Collect::
    c:\windows\system32\drivers\is3srv.sys
    
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Now, drag and drop CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • TDSSKiller.txt
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 scotts18

scotts18
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 28 November 2010 - 01:50 PM

Done. See below for logs....

2010/11/28 12:27:24.0532 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31
2010/11/28 12:27:24.0532 ================================================================================
2010/11/28 12:27:24.0532 SystemInfo:
2010/11/28 12:27:24.0532
2010/11/28 12:27:24.0532 OS Version: 6.1.7600 ServicePack: 0.0
2010/11/28 12:27:24.0532 Product type: Workstation
2010/11/28 12:27:24.0532 ComputerName: RACHEL-PC
2010/11/28 12:27:24.0547 UserName: Rachel
2010/11/28 12:27:24.0547 Windows directory: C:\windows
2010/11/28 12:27:24.0547 System windows directory: C:\windows
2010/11/28 12:27:24.0547 Processor architecture: Intel x86
2010/11/28 12:27:24.0547 Number of processors: 1
2010/11/28 12:27:24.0547 Page size: 0x1000
2010/11/28 12:27:24.0547 Boot type: Normal boot
2010/11/28 12:27:24.0547 ================================================================================
2010/11/28 12:27:24.0797 Initialize success
2010/11/28 12:27:33.0673 ================================================================================
2010/11/28 12:27:33.0673 Scan started
2010/11/28 12:27:33.0673 Mode: Manual;
2010/11/28 12:27:33.0673 ================================================================================
2010/11/28 12:27:35.0717 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\windows\system32\DRIVERS\1394ohci.sys
2010/11/28 12:27:35.0779 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\windows\system32\DRIVERS\ACPI.sys
2010/11/28 12:27:35.0889 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\windows\system32\DRIVERS\acpipmi.sys
2010/11/28 12:27:35.0982 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
2010/11/28 12:27:36.0076 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
2010/11/28 12:27:36.0154 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
2010/11/28 12:27:36.0263 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\windows\system32\drivers\afd.sys
2010/11/28 12:27:36.0357 AgereSoftModem (7e10e3bb9b258ad8a9300f91214d67b9) C:\windows\system32\DRIVERS\AGRSM.sys
2010/11/28 12:27:36.0481 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\DRIVERS\agp440.sys
2010/11/28 12:27:36.0606 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
2010/11/28 12:27:36.0762 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\DRIVERS\aliide.sys
2010/11/28 12:27:36.0809 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\DRIVERS\amdagp.sys
2010/11/28 12:27:36.0949 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\DRIVERS\amdide.sys
2010/11/28 12:27:37.0012 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
2010/11/28 12:27:37.0121 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
2010/11/28 12:27:37.0183 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\windows\system32\DRIVERS\amdsata.sys
2010/11/28 12:27:37.0293 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
2010/11/28 12:27:37.0324 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\windows\system32\DRIVERS\amdxata.sys
2010/11/28 12:27:37.0449 AppID (feb834c02ce1e84b6a38f953ca067706) C:\windows\system32\drivers\appid.sys
2010/11/28 12:27:37.0620 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
2010/11/28 12:27:37.0651 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
2010/11/28 12:27:37.0776 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
2010/11/28 12:27:37.0885 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\DRIVERS\atapi.sys
2010/11/28 12:27:37.0995 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
2010/11/28 12:27:38.0151 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
2010/11/28 12:27:38.0213 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
2010/11/28 12:27:38.0353 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
2010/11/28 12:27:38.0400 bowser (fcafaef6798d7b51ff029f99a9898961) C:\windows\system32\DRIVERS\bowser.sys
2010/11/28 12:27:38.0431 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
2010/11/28 12:27:38.0525 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
2010/11/28 12:27:38.0587 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
2010/11/28 12:27:38.0619 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
2010/11/28 12:27:38.0728 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
2010/11/28 12:27:38.0790 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
2010/11/28 12:27:38.0837 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
2010/11/28 12:27:39.0118 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
2010/11/28 12:27:39.0227 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\windows\system32\DRIVERS\cdrom.sys
2010/11/28 12:27:39.0336 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
2010/11/28 12:27:39.0414 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
2010/11/28 12:27:39.0508 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
2010/11/28 12:27:39.0586 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\DRIVERS\cmdide.sys
2010/11/28 12:27:39.0664 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
2010/11/28 12:27:39.0742 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
2010/11/28 12:27:39.0835 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\windows\system32\DRIVERS\CompositeBus.sys
2010/11/28 12:27:39.0945 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
2010/11/28 12:27:40.0069 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\windows\system32\Drivers\dfsc.sys
2010/11/28 12:27:40.0179 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
2010/11/28 12:27:40.0257 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
2010/11/28 12:27:40.0397 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
2010/11/28 12:27:40.0475 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\windows\System32\drivers\dxgkrnl.sys
2010/11/28 12:27:40.0662 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
2010/11/28 12:27:40.0881 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
2010/11/28 12:27:40.0990 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\DRIVERS\errdev.sys
2010/11/28 12:27:41.0083 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
2010/11/28 12:27:41.0161 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
2010/11/28 12:27:41.0255 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
2010/11/28 12:27:41.0349 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
2010/11/28 12:27:41.0395 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
2010/11/28 12:27:41.0427 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
2010/11/28 12:27:41.0520 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
2010/11/28 12:27:41.0598 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
2010/11/28 12:27:41.0676 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
2010/11/28 12:27:41.0754 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\windows\system32\DRIVERS\fvevol.sys
2010/11/28 12:27:41.0848 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
2010/11/28 12:27:42.0019 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
2010/11/28 12:27:42.0082 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\windows\system32\drivers\HdAudio.sys
2010/11/28 12:27:42.0191 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\windows\system32\DRIVERS\HDAudBus.sys
2010/11/28 12:27:42.0238 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
2010/11/28 12:27:42.0285 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
2010/11/28 12:27:42.0409 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
2010/11/28 12:27:42.0550 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\windows\system32\DRIVERS\hidusb.sys
2010/11/28 12:27:42.0612 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\DRIVERS\HpSAMD.sys
2010/11/28 12:27:42.0690 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\windows\system32\drivers\HTTP.sys
2010/11/28 12:27:42.0768 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\windows\system32\drivers\hwpolicy.sys
2010/11/28 12:27:42.0893 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\DRIVERS\i8042prt.sys
2010/11/28 12:27:42.0987 iaStor (d483687eace0c065ee772481a96e05f5) C:\windows\system32\DRIVERS\iaStor.sys
2010/11/28 12:27:43.0080 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\windows\system32\DRIVERS\iaStorV.sys
2010/11/28 12:27:43.0330 igfx (315aaaa2bc9bc778adc0454b3ca8dcce) C:\windows\system32\DRIVERS\igdkmd32.sys
2010/11/28 12:27:43.0564 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
2010/11/28 12:27:43.0751 IntcAzAudAddService (e4a2e810cb2607c9c159c0dfb0bd4c88) C:\windows\system32\drivers\RTKVHDA.sys
2010/11/28 12:27:43.0860 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\DRIVERS\intelide.sys
2010/11/28 12:27:43.0923 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
2010/11/28 12:27:44.0032 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
2010/11/28 12:27:44.0125 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\windows\system32\DRIVERS\IPMIDrv.sys
2010/11/28 12:27:44.0203 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
2010/11/28 12:27:44.0281 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
2010/11/28 12:27:44.0422 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\DRIVERS\isapnp.sys
2010/11/28 12:27:44.0500 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\windows\system32\DRIVERS\msiscsi.sys
2010/11/28 12:27:44.0593 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys
2010/11/28 12:27:44.0671 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\windows\system32\DRIVERS\kbdhid.sys
2010/11/28 12:27:44.0749 KSecDD (e36a061ec11b373826905b21be10948f) C:\windows\system32\Drivers\ksecdd.sys
2010/11/28 12:27:44.0812 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\windows\system32\Drivers\ksecpkg.sys
2010/11/28 12:27:44.0952 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
2010/11/28 12:27:45.0061 LPCFilter (6e3d3816749e107883eec5734ce44493) C:\windows\system32\DRIVERS\LPCFilter.sys
2010/11/28 12:27:45.0155 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
2010/11/28 12:27:45.0233 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
2010/11/28 12:27:45.0311 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
2010/11/28 12:27:45.0389 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
2010/11/28 12:27:45.0483 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
2010/11/28 12:27:45.0654 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
2010/11/28 12:27:45.0732 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
2010/11/28 12:27:45.0826 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\windows\system32\drivers\mfeavfk.sys
2010/11/28 12:27:45.0935 mfebopk (1d003e3056a43d881597d6763e83b943) C:\windows\system32\drivers\mfebopk.sys
2010/11/28 12:27:46.0013 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\windows\system32\drivers\mfehidk.sys
2010/11/28 12:27:46.0107 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\windows\system32\drivers\mferkdk.sys
2010/11/28 12:27:46.0169 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\windows\system32\drivers\mfesmfk.sys
2010/11/28 12:27:46.0263 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
2010/11/28 12:27:46.0356 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
2010/11/28 12:27:46.0450 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
2010/11/28 12:27:46.0543 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
2010/11/28 12:27:46.0621 mountmgr (921c18727c5920d6c0300736646931c2) C:\windows\system32\drivers\mountmgr.sys
2010/11/28 12:27:46.0699 MPFP (4fc96dab9d75c1f544ba45ccbafcae7e) C:\windows\system32\Drivers\Mpfp.sys
2010/11/28 12:27:46.0793 mpio (2af5997438c55fb79d33d015c30e1974) C:\windows\system32\DRIVERS\mpio.sys
2010/11/28 12:27:46.0902 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
2010/11/28 12:27:46.0949 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\windows\system32\drivers\mrxdav.sys
2010/11/28 12:27:47.0058 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\windows\system32\DRIVERS\mrxsmb.sys
2010/11/28 12:27:47.0105 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\windows\system32\DRIVERS\mrxsmb10.sys
2010/11/28 12:27:47.0152 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\windows\system32\DRIVERS\mrxsmb20.sys
2010/11/28 12:27:47.0261 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\windows\system32\DRIVERS\msahci.sys
2010/11/28 12:27:47.0292 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\windows\system32\DRIVERS\msdsm.sys
2010/11/28 12:27:47.0433 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
2010/11/28 12:27:47.0464 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
2010/11/28 12:27:47.0511 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\DRIVERS\msisadrv.sys
2010/11/28 12:27:47.0651 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
2010/11/28 12:27:47.0698 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
2010/11/28 12:27:47.0823 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
2010/11/28 12:27:47.0854 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
2010/11/28 12:27:47.0932 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\windows\system32\DRIVERS\mssmbios.sys
2010/11/28 12:27:48.0041 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
2010/11/28 12:27:48.0166 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
2010/11/28 12:27:48.0228 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
2010/11/28 12:27:48.0353 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
2010/11/28 12:27:48.0447 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\windows\system32\drivers\ndis.sys
2010/11/28 12:27:48.0556 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
2010/11/28 12:27:48.0603 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
2010/11/28 12:27:48.0727 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\windows\system32\DRIVERS\ndisuio.sys
2010/11/28 12:27:48.0774 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\windows\system32\DRIVERS\ndiswan.sys
2010/11/28 12:27:48.0805 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\windows\system32\drivers\NDProxy.sys
2010/11/28 12:27:48.0930 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
2010/11/28 12:27:48.0977 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\windows\system32\DRIVERS\netbt.sys
2010/11/28 12:27:49.0117 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
2010/11/28 12:27:49.0180 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
2010/11/28 12:27:49.0289 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
2010/11/28 12:27:49.0351 Ntfs (3795dcd21f740ee799fb7223234215af) C:\windows\system32\drivers\Ntfs.sys
2010/11/28 12:27:49.0445 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
2010/11/28 12:27:49.0492 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\windows\system32\DRIVERS\nvraid.sys
2010/11/28 12:27:49.0632 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\windows\system32\DRIVERS\nvstor.sys
2010/11/28 12:27:49.0663 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\DRIVERS\nv_agp.sys
2010/11/28 12:27:49.0804 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\DRIVERS\ohci1394.sys
2010/11/28 12:27:49.0960 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
2010/11/28 12:27:50.0007 partmgr (ff4218952b51de44fe910953a3e686b9) C:\windows\system32\drivers\partmgr.sys
2010/11/28 12:27:50.0116 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
2010/11/28 12:27:50.0163 pci (c858cb77c577780ecc456a892e7e7d0f) C:\windows\system32\DRIVERS\pci.sys
2010/11/28 12:27:50.0256 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\DRIVERS\pciide.sys
2010/11/28 12:27:50.0303 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
2010/11/28 12:27:50.0350 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
2010/11/28 12:27:50.0459 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
2010/11/28 12:27:50.0662 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
2010/11/28 12:27:50.0709 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
2010/11/28 12:27:50.0865 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
2010/11/28 12:27:50.0927 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
2010/11/28 12:27:51.0052 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
2010/11/28 12:27:51.0083 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
2010/11/28 12:27:51.0192 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
2010/11/28 12:27:51.0270 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
2010/11/28 12:27:51.0364 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
2010/11/28 12:27:51.0504 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
2010/11/28 12:27:51.0567 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
2010/11/28 12:27:51.0676 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\windows\system32\DRIVERS\rdbss.sys
2010/11/28 12:27:51.0738 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
2010/11/28 12:27:51.0832 RDPCDD (1e016846895b15a99f9a176a05029075) C:\windows\system32\DRIVERS\RDPCDD.sys
2010/11/28 12:27:51.0879 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
2010/11/28 12:27:51.0988 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
2010/11/28 12:27:52.0035 RDPWD (801371ba9782282892d00aadb08ee367) C:\windows\system32\drivers\RDPWD.sys
2010/11/28 12:27:52.0159 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\windows\system32\drivers\rdyboost.sys
2010/11/28 12:27:52.0331 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
2010/11/28 12:27:52.0581 RTL8167 (26a9d6227d12b9d9da5a81bb9b55d810) C:\windows\system32\DRIVERS\Rt86win7.sys
2010/11/28 12:27:52.0659 RTL8187B (0a804a2375b99419d13821b451651856) C:\windows\system32\DRIVERS\RTL8187B.sys
2010/11/28 12:27:52.0846 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\windows\system32\DRIVERS\sbp2port.sys
2010/11/28 12:27:52.0971 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\windows\system32\DRIVERS\scfilter.sys
2010/11/28 12:27:53.0142 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\drivers\secdrv.sys
2010/11/28 12:27:53.0283 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
2010/11/28 12:27:53.0329 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
2010/11/28 12:27:53.0439 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
2010/11/28 12:27:53.0501 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\DRIVERS\sffdisk.sys
2010/11/28 12:27:53.0610 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\DRIVERS\sffp_mmc.sys
2010/11/28 12:27:53.0657 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\windows\system32\DRIVERS\sffp_sd.sys
2010/11/28 12:27:53.0751 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
2010/11/28 12:27:53.0813 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\DRIVERS\sisagp.sys
2010/11/28 12:27:53.0938 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
2010/11/28 12:27:53.0985 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
2010/11/28 12:27:54.0125 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
2010/11/28 12:27:54.0203 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
2010/11/28 12:27:54.0390 srv (2dbedfb1853f06110ec2aa7f3213c89f) C:\windows\system32\DRIVERS\srv.sys
2010/11/28 12:27:54.0562 srv2 (db37131d1027c50ea7ee21c8bb4536aa) C:\windows\system32\DRIVERS\srv2.sys
2010/11/28 12:27:54.0687 srvnet (f5980b74124db9233b33f86fc5ebbb4f) C:\windows\system32\DRIVERS\srvnet.sys
2010/11/28 12:27:54.0811 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
2010/11/28 12:27:54.0967 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\DRIVERS\swenum.sys
2010/11/28 12:27:55.0077 SynTP (8bd10dc8809dc69a1c5a795cb10add76) C:\windows\system32\DRIVERS\SynTP.sys
2010/11/28 12:27:55.0295 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\drivers\tcpip.sys
2010/11/28 12:27:55.0451 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\DRIVERS\tcpip.sys
2010/11/28 12:27:55.0576 tcpipreg (e64444523add154f86567c469bc0b17f) C:\windows\system32\drivers\tcpipreg.sys
2010/11/28 12:27:55.0716 tdcmdpst (4084ea00d50c858d6f9038f86ae2e2d0) C:\windows\system32\DRIVERS\tdcmdpst.sys
2010/11/28 12:27:55.0763 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\windows\system32\drivers\tdpipe.sys
2010/11/28 12:27:55.0872 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\windows\system32\drivers\tdtcp.sys
2010/11/28 12:27:55.0919 tdx (cb39e896a2a83702d1737bfd402b3542) C:\windows\system32\DRIVERS\tdx.sys
2010/11/28 12:27:56.0044 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\windows\system32\DRIVERS\termdd.sys
2010/11/28 12:27:56.0262 tos_sps32 (969377943fe7284609babbab4e06b93c) C:\windows\system32\DRIVERS\tos_sps32.sys
2010/11/28 12:27:56.0340 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\windows\system32\DRIVERS\tssecsrv.sys
2010/11/28 12:27:56.0481 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\windows\system32\DRIVERS\tunnel.sys
2010/11/28 12:27:56.0559 TVALZ (fc24015b4052600c324c43e3a79c0664) C:\windows\system32\DRIVERS\TVALZ_O.SYS
2010/11/28 12:27:56.0668 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
2010/11/28 12:27:56.0808 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\windows\system32\DRIVERS\udfs.sys
2010/11/28 12:27:56.0871 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\DRIVERS\uliagpkx.sys
2010/11/28 12:27:56.0995 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\windows\system32\DRIVERS\umbus.sys
2010/11/28 12:27:57.0042 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
2010/11/28 12:27:57.0089 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\windows\system32\DRIVERS\usbccgp.sys
2010/11/28 12:27:57.0229 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\DRIVERS\usbcir.sys
2010/11/28 12:27:57.0354 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\windows\system32\DRIVERS\usbehci.sys
2010/11/28 12:27:57.0495 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\windows\system32\DRIVERS\usbhub.sys
2010/11/28 12:27:57.0541 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys
2010/11/28 12:27:57.0666 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
2010/11/28 12:27:57.0791 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\windows\system32\DRIVERS\usbscan.sys
2010/11/28 12:27:57.0853 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\windows\system32\DRIVERS\USBSTOR.SYS
2010/11/28 12:27:57.0947 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\windows\system32\DRIVERS\usbuhci.sys
2010/11/28 12:27:58.0009 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\DRIVERS\vdrvroot.sys
2010/11/28 12:27:58.0134 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
2010/11/28 12:27:58.0181 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
2010/11/28 12:27:58.0290 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\windows\system32\DRIVERS\vhdmp.sys
2010/11/28 12:27:58.0384 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\DRIVERS\viaagp.sys
2010/11/28 12:27:58.0477 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
2010/11/28 12:27:58.0540 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\DRIVERS\viaide.sys
2010/11/28 12:27:58.0618 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\windows\system32\DRIVERS\volmgr.sys
2010/11/28 12:27:58.0680 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
2010/11/28 12:27:58.0758 volsnap (d58f924289191ef4c20e475b12dec7a7) C:\windows\system32\DRIVERS\volsnap.sys
2010/11/28 12:27:58.0774 Suspicious file (Forged): C:\windows\system32\DRIVERS\volsnap.sys. Real md5: d58f924289191ef4c20e475b12dec7a7, Fake md5: 58df9d2481a56edde167e51b334d44fd
2010/11/28 12:27:58.0774 volsnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/28 12:27:58.0836 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
2010/11/28 12:27:58.0945 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\System32\drivers\vwifibus.sys
2010/11/28 12:27:59.0070 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
2010/11/28 12:27:59.0133 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
2010/11/28 12:27:59.0257 WANARP (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2010/11/28 12:27:59.0273 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
2010/11/28 12:27:59.0460 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
2010/11/28 12:27:59.0507 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
2010/11/28 12:27:59.0694 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
2010/11/28 12:27:59.0741 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
2010/11/28 12:27:59.0928 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\DRIVERS\wmiacpi.sys
2010/11/28 12:28:00.0006 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
2010/11/28 12:28:00.0162 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\windows\system32\drivers\WudfPf.sys
2010/11/28 12:28:00.0287 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\windows\system32\DRIVERS\WUDFRd.sys
2010/11/28 12:28:00.0443 ================================================================================
2010/11/28 12:28:00.0443 Scan finished
2010/11/28 12:28:00.0443 ================================================================================
2010/11/28 12:28:00.0459 Detected object count: 1
2010/11/28 12:28:26.0214 volsnap (d58f924289191ef4c20e475b12dec7a7) C:\windows\system32\DRIVERS\volsnap.sys
2010/11/28 12:28:26.0214 Suspicious file (Forged): C:\windows\system32\DRIVERS\volsnap.sys. Real md5: d58f924289191ef4c20e475b12dec7a7, Fake md5: 58df9d2481a56edde167e51b334d44fd
2010/11/28 12:28:27.0727 Backup copy found, using it..
2010/11/28 12:28:27.0727 C:\windows\system32\DRIVERS\volsnap.sys - will be cured after reboot
2010/11/28 12:28:27.0727 Rootkit.Win32.TDSS.tdl3(volsnap) - User select action: Cure
2010/11/28 12:28:44.0498 Deinitialize success



ComboFix 10-11-27.01 - Rachel 11/28/2010 12:36:21.3.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1380 [GMT -6:00]
Running from: c:\users\Rachel\Desktop\ComboFix.exe
Command switches used :: c:\users\Rachel\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 18:41 . 2010-11-28 18:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-26 22:40 . 2010-11-26 22:40 -------- d-----w- C:\rsit
2010-11-26 22:40 . 2010-11-26 22:40 -------- d-----w- c:\program files\trend micro
2010-11-18 00:00 . 2010-11-18 00:00 -------- d-----w- c:\users\Rachel\AppData\Local\Mozilla
2010-11-17 01:34 . 2010-11-17 01:34 -------- d-----w- c:\windows\Sun
2010-11-16 22:36 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-11-16 00:54 . 2010-11-16 01:20 -------- d-----w- c:\program files\UnHackMe
2010-11-14 00:54 . 2010-11-14 00:54 -------- d-----w- c:\programdata\SITEguard
2010-11-14 00:53 . 2010-11-14 00:53 -------- d-----w- c:\program files\Common Files\iS3
2010-11-14 00:53 . 2010-11-16 01:02 -------- d-----w- c:\programdata\STOPzilla!
2010-11-13 23:34 . 2010-11-14 00:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-13 23:34 . 2010-11-13 23:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-28 18:29 . 2009-07-13 23:11 245328 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-09-08 04:30 . 2010-10-15 02:22 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28 . 2010-10-15 02:22 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22 . 2010-10-15 02:22 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48 . 2010-10-15 02:22 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23 . 2010-10-15 02:20 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34 . 2010-10-15 02:20 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32 . 2010-10-15 02:21 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32 . 2010-10-15 02:21 954288 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]
"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [x]
R0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:37]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 03:37]

2010-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-07 18:22]

2010-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-07 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\ogl0cmuc.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Rachel\AppData\Local\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3944)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
Completion time: 2010-11-28 12:43:14
ComboFix-quarantined-files.txt 2010-11-28 18:43
ComboFix2.txt 2010-11-28 04:25
ComboFix3.txt 2010-11-28 00:57

Pre-Run: 209,215,266,816 bytes free
Post-Run: 209,178,038,272 bytes free

- - End Of File - - 2F166DA435C4B4525FA810CF83693AEE

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:46 AM

Posted 28 November 2010 - 02:06 PM

Hello, scotts18.
Looks good! How's your PC doing now? Are you experiencing any other problems?

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the Download JRE button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run an ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish

NEXT:

We need to run an MBAM Scan
  • Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • Run MBAM and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • Eset Scan Log
  • MBAM Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 scotts18

scotts18
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 28 November 2010 - 05:00 PM

I tried a few search results with no problems. Below are the ESET and MBAM logs.

C:\Users\Rachel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\6d914f63-6b5f8f11 a variant of Java/Rowindal.C trojan deleted - quarantined
C:\Users\Rachel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\56919ea5-49ed35cf multiple threats deleted - quarantined
C:\Users\Rachel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\bcc0505-44c8a05b multiple threats deleted - quarantined
C:\Users\Rachel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\bcc0505-5cb3348c multiple threats deleted - quarantined
C:\Users\Rachel\Desktop\mstsc.exe a variant of Win32/Witkinat.V trojan cleaned by deleting - quarantined




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5208

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/28/2010 3:56:55 PM
mbam-log-2010-11-28 (15-56-55).txt

Scan type: Quick scan
Objects scanned: 142113
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:46 AM

Posted 28 November 2010 - 05:07 PM

Hello, scotts18.
Those logs look fine. Let's clean up :)

We need to uninstall Combofix
  • Click on your Start Menu, then Run....
  • Now type combofix /uninstall in the runbox and click OK. Notice the space between the "x" and "/".

NEXT:

We need to clear the Java cache
  • Click Start > Control Panel
  • Double-click the Java icon in the control panel
  • Click Settings under Temporary Internet Files.
  • Click Delete Files
  • Check all the boxes
  • Click Ok

NEXT:

We need to enable TeaTimer
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • ClickMode and then on "Advanced Mode"
  • You may be presented with a warning dialog. If so, press yes
  • Click on Tools
  • Click on Resident
  • Check the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  • Close/Exit Spybot Search and Destroy

 

Your Log looks clean! You can now delete the tools and the respective logs produced.

Please take the time to read below to secure your machine and take the necessary steps to keep it clean :)

There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  • Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  • Make Internet Explorer more secure
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Make Firefox more secure
    Firefox is a relatively safe browser compared to Internet Explorer. However, if you'd still like to enhance security, consider some of these extensions:
    • NoScript: Add-on which automatically blocks Javascript and Java from running on sites.
    • Firekeeper: Add-on which aims to protect your from malicious websites which may exploit browser and code security flaws.
    • KeyScrambler: Add-on that protects your passwords from being detected by keyloggers.
  • Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  • Install and update the following programs frequently
    • An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    • An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    • An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

Some more links you might find of interest:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 scotts18

scotts18
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 28 November 2010 - 07:56 PM

Ok, I have uninstalled ComboFix and reactivated TeaTimer. I was unable to check the box beside "Resident "SDHelper" (Internet Explorer bad download blocker) active" because it was grayed out. Maybe I didn't install that part. Should I reinstall Spybot?

I will install the malware programs you suggested. I have my McAfee set to automatically update. I will begin updating Windows and other software.

I have tried several searches and no redirects occurred.

I really appreciate all the help. Your instructions were very clear, concise, and thorough. This is a great service that you provide.

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:46 AM

Posted 28 November 2010 - 08:27 PM

Hi!

Thank you for your kind words :)

I was unable to check the box beside "Resident "SDHelper" (Internet Explorer bad download blocker) active" because it was grayed out. Maybe I didn't install that part. Should I reinstall Spybot?

If you use FireFox as your default browser, then the SDHelper module won't benefit you. If you do use IE, then while it is a good function to have running, it is not as important. The most important part of SpyBot is TeaTimer.

Let me know if you have any more questions.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 scotts18

scotts18
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 28 November 2010 - 08:42 PM

That is all I have. Again, I really appreciate all your help!

Thanks,
Scott




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users