Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects in FireFox/IE


  • This topic is locked This topic is locked
18 replies to this topic

#1 JR2_Alaska

JR2_Alaska

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 24 February 2011 - 11:35 AM

I started having re-directs and new tab pop ups in FF and IE yesterday so I initially ran malewarebytes (already installed) and my McAfee Vscan. Mcafee gave a warning about root kits possibly installed and cleaned some files up. Maleware found nothing. Figured I was good, nope still getting redirects from google search results. So I came here. I tried to run defogger but get an error saying I need to be an admin to run the program, but I am an admin. I went ahead and ran the dds and gmer. Logs and such below.

thanks in advance.

DDS Log

DDS (Ver_10-12-12.02) - NTFSx86
Run by rathert at 5:03:39.56 on Thu 02/24/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2701 [GMT -9:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
"C:\WINDOWS\system32\svchost.exe"
"C:\WINDOWS\system32\svchost.exe"
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\lxeacoms.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Novadigm\radexecd.exe
C:\PROGRA~1\Novadigm\radsched.exe
C:\PROGRA~1\Novadigm\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Documents and Settings\rathert\Desktop\dds.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Schlumberger
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://hub.slb.com
uDefault_Page_URL = hxxp://hub.slb.com
mDefault_Page_URL = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Password Reminder] remind.vbs
mRun: [TLogonPath] "c:\program files\timbuktu pro\\minitb2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [EFS] c:\windows\system32\wscript.exe c:\progra~1\novadigm\SLB_EFS.VBS
mRun: [Norton Ghost 12.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [RUNRADTRAY] c:\progra~1\novadigm\radtray.exe
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - d:\program files\java\jre6\bin\ssv.dll
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {409C0FFE-1E5F-4195-A349-4C13306692DE} - hxxps://www.interact.slb.com/webdd/TimePlotNew.CAB
DPF: {4409A1D5-C9D3-4DC0-98FE-126B08435A9A} - hxxps://www.interact.slb.com/webdd/LgWrapper2.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://sisevents.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} - hxxps://www.interact.slb.com/webdd/LgWrapper.CAB
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gateway.slb.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://gateway.slb.com/dana-cached/sc/JuniperSetupClient.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No File
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rathert\applic~1\mozilla\firefox\profiles\ypi99ins.default\
FF - plugin: c:\documents and settings\rathert\application data\mozilla\firefox\profiles\ypi99ins.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: d:\program files\google\picasa3\npPicasa2.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2009-4-8 404592]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-21 343664]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-1-31 28552]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-1-16 14464]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [2009-4-8 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [2009-4-8 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [2007-5-7 52432]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-21 70728]
R2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-9-6 29180768]
R2 Radexecd;HP OVCM Notify Daemon;c:\progra~1\novadigm\radexecd.exe [2010-5-24 300776]
R2 Radsched;HP OVCM Scheduler Daemon;c:\progra~1\novadigm\radsched.exe [2010-5-24 194280]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\novadigm\Radstgms.exe [2010-5-24 333544]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2005-3-1 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2005-3-1 10752]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-21 91672]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2011-1-12 193192]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2009-4-8 161128]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;c:\windows\system32\drivers\el589nd5.sys [2008-1-15 26141]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [2005-1-10 10240]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2008-1-14 62048]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-6-29 24576]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-21 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-21 65448]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\ora817\bin\dbsnmp.exe --> c:\oracle\ora817\bin\dbsnmp.exe [?]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\ora817\bin\onrsd.exe --> c:\oracle\ora817\bin\ONRSD.EXE [?]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\ora817\bin\vppdc.exe --> c:\oracle\ora817\bin\vppdc.exe [?]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\ora817\apache\apache\apache.exe --> c:\oracle\ora817\apache\apache\Apache.exe [?]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\ora817/bin/pagntsrv.exe --> c:\oracle\Ora817/bin/pagntsrv.exe [?]
S3 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\ora817\bin\tnslsnr --> c:\oracle\ora817\bin\TNSLSNR [?]
S3 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\oracle.exe gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2008-8-31 9472]
S4 R72_NT4;R72_NT4;c:\windows\system32\drivers\r72_nt4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S4 R72V2NT4;R72V2NT4; [x]

=============== Created Last 30 ================

2011-02-23 20:43:54 156160 ----a-w- c:\windows\system32\WS_ContextMenu.dll
2011-02-23 17:20:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\xml_param
2011-02-23 15:44:12 158720 ----a-w- c:\windows\system32\WS_VideoConverterContextMenu.dll
2011-02-22 12:34:49 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-02-22 12:34:49 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2011-02-18 15:31:40 -------- d-----w- c:\docume~1\rathert\applic~1\AnvSoft
2011-01-31 14:38:00 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-01-31 14:34:59 -------- d-----w- c:\program files\Panda Security
2011-01-30 20:14:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 20:13:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B43A439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b4407b8]; MOV EAX, [0x8b440834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B3A6AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B247DB0]
\Driver\atapi[0x8B493370] -> IRP_MJ_CREATE -> 0x8B43A439
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B43A27F
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 5:06:30.15 ===============


gmer Log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-24 07:33:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: d:\NOTENC~1\uxliipob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\NetopiaRC\Tb2Device.sys ZwEnumerateValueKey [0xBA4091F4]
SSDT \SystemRoot\NetopiaRC\Tb2Device.sys ZwQueryValueKey [0xBA409223]
SSDT \SystemRoot\NetopiaRC\Tb2Device.sys ZwSetValueKey [0xBA409252]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9D34610]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9D34624]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9D345D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9D345E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9D3464E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9D3463A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9D345FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B9D345D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B9D345EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B9D3463E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B9D34628 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B9D34614 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B9D34652 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B9D34600 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7945360, 0x30A247, 0xE8000020]
init C:\WINDOWS\system32\drivers\egatebus.sys entry point in "init" section [0xB9CB7C12]
init C:\WINDOWS\NetopiaRC\Tb2Device.sys entry point in "init" section [0xBA40A000]
? d:\NOTENC~1\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office Communicator\communicator.exe[384] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 330BD62A C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1780] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\svchost.exe[1780] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\System32\svchost.exe[1780] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A5000C
.text C:\WINDOWS\System32\svchost.exe[1780] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[1780] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00EF000A
.text C:\WINDOWS\System32\svchost.exe[1780] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00F0000A
.text C:\WINDOWS\System32\svchost.exe[1780] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FA000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0094000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2696] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0095000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2696] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0093000C
.text C:\WINDOWS\Explorer.EXE[2840] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[2840] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[2840] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 016F000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0170000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 016E000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs CMGShCEF.sys (CMG Shield for Windows Driver/CREDANT Technologies, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B43A27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8B43A27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B43A27F

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskHitachi_HTS722016K9A300_________________DCDOCA1H#38303730333050444430303856444d475a364347#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Files - GMER 1.0.15 ----

File C:\System Volume Information\_restore{55C11BCB-2FE8-498F-93E5-6905A96DE146}\RP684\CredDB.CEF 1184 bytes
File C:\WINDOWS\system32\config\systemprofile\Cookies\system@bluekai[2].txt 770 bytes
File C:\WINDOWS\system32\config\systemprofile\Cookies\system@scorecardresearch[2].txt 115 bytes
File C:\WINDOWS\system32\config\systemprofile\Cookies\system@adap[1].txt 704 bytes
File C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.retrevo[1].txt 133 bytes
File C:\Documents and Settings\All Users\Documents\My Music\Sample Music\CredDB.CEF 626 bytes
File C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\3618A\CredDB.CEF 3688 bytes
File C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\CredDB.CEF 1480 bytes
File C:\Documents and Settings\rathert\Application Data\Microsoft\Outlook\CredDB.CEF 3256 bytes
File C:\Documents and Settings\rathert\Desktop\CredDB.CEF 5244 bytes
File C:\Documents and Settings\rathert\Desktop\Gtab Files\CredDB.CEF 888 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Identities\{AEB7F6BD-701B-4FBF-9713-77E68F9A124A}\Microsoft\Outlook Express\CredDB.CEF 3552 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Microsoft\Communicator\CredDB.CEF 592 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Microsoft\Outlook\OAB\CredDB.CEF 2664 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Microsoft\Outlook\CredDB.CEF 4738 bytes
File C:\Documents and Settings\rathert\Local Settings\Temporary Internet Files\Content.IE5\CredDB.CEF 296 bytes
File C:\Documents and Settings\rathert\Local Settings\Temporary Internet Files\Content.Word\CredDB.CEF 1336 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 25 February 2011 - 11:47 AM

I have been trying to get rid of this thing by myself and I have removed some programs as well as updated others along with some house cleaning. Thought I better post up new logs so when someone comes to help me they have the correct data.

New DDS:
DDS (Ver_10-12-12.02) - NTFSx86
Run by rathert at 4:38:51.27 on Fri 02/25/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_24

============== Running Processes ===============

C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\lxeacoms.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Novadigm\radexecd.exe
C:\PROGRA~1\Novadigm\radsched.exe
C:\PROGRA~1\Novadigm\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\DellTPad\Apntex.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
d:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Eula.exe
C:\Documents and Settings\rathert\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Schlumberger
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://hub.slb.com
uDefault_Page_URL = hxxp://hub.slb.com
mDefault_Page_URL = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Password Reminder] remind.vbs
mRun: [TLogonPath] "c:\program files\timbuktu pro\\minitb2.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [EFS] c:\windows\system32\wscript.exe c:\progra~1\novadigm\SLB_EFS.VBS
mRun: [Norton Ghost 12.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [RUNRADTRAY] c:\progra~1\novadigm\radtray.exe
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {409C0FFE-1E5F-4195-A349-4C13306692DE} - hxxps://www.interact.slb.com/webdd/TimePlotNew.CAB
DPF: {4409A1D5-C9D3-4DC0-98FE-126B08435A9A} - hxxps://www.interact.slb.com/webdd/LgWrapper2.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://sisevents.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} - hxxps://www.interact.slb.com/webdd/LgWrapper.CAB
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gateway.slb.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://gateway.slb.com/dana-cached/sc/JuniperSetupClient.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No File
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rathert\applic~1\mozilla\firefox\profiles\ypi99ins.default\
FF - plugin: c:\documents and settings\rathert\application data\mozilla\firefox\profiles\ypi99ins.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: d:\program files\google\picasa3\npPicasa2.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R? CmgShieldNP;CmgShieldNP
R? EL3C589;3Com Megahertz LAN PC Card Driver
R? ETDSVC;Entrust/TrueDelete™
R? GKUPRO2D;GKUPRO2D
R? gupdate;Google Update Service (gupdate)
R? HTCAND32;HTC Device Driver
R? lxeaCATSCustConnectService;lxeaCATSCustConnectService
R? mferkdet;McAfee Inc. mferkdet
R? motccgp;Motorola USB Composite Device Driver
R? motccgpfl;MotCcgpFlService
R? motport;Motorola USB Diagnostic Port
R? nosGetPlusHelper;getPlus® Helper 3004
R? OracleOraHome817Agent;OracleOraHome817Agent
R? OracleOraHome817ClientCache;OracleOraHome817ClientCache
R? OracleOraHome817DataGatherer;OracleOraHome817DataGatherer
R? OracleOraHome817HTTPServer;OracleOraHome817HTTPServer
R? OracleOraHome817PagingServer;OracleOraHome817PagingServer
R? OracleOraHome817TNSListener;OracleOraHome817TNSListener
R? OracleServicegfpc8;OracleServicegfpc8
R? pnetmdm;PdaNet Modem
R? R72_NT4;R72_NT4
R? R72V2NT4;R72V2NT4
S? CMGShield;CMG Shield
S? CmgShieldCEF;CmgShieldCEF
S? Egatebus;Egatebus
S? Egaterdr;Egaterdr
S? EMS;EMS
S? ETFSDNT;Entrust File System Hook
S? fanio;FanIO driver
S? lxea_device;lxea_device
S? McAfeeEngineService;McAfee Engine Service
S? McAfeeFramework;McAfee Framework Service
S? McShield;McAfee McShield
S? McTaskManager;McAfee Task Manager
S? mfeavfk;McAfee Inc. mfeavfk
S? mfebopk;McAfee Inc. mfebopk
S? mfehidk;McAfee Inc. mfehidk
S? mfevtp;McAfee Validation Trust Protection Service
S? MSSQL$DRILLING;SQL Server (DRILLING)
S? Radexecd;HP OVCM Notify Daemon
S? Radsched;HP OVCM Scheduler Daemon
S? Radstgms;HP OVCM MSI Redirector
S? Tb2Device;TB2 Remote Control Driver
S? Tb2MirrorSys;TB2 Remote Control Mirror Driver

=============== Created Last 30 ================

2011-02-25 10:57:27 32576 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2011-02-25 10:55:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-25 10:55:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-25 10:55:31 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-02-24 18:41:41 -------- d-----w- c:\program files\ESET
2011-02-23 20:43:54 156160 ----a-w- c:\windows\system32\WS_ContextMenu.dll
2011-02-23 17:20:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\xml_param
2011-02-22 12:34:49 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-02-22 12:34:49 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2011-02-18 15:31:40 -------- d-----w- c:\docume~1\rathert\applic~1\AnvSoft
2011-01-31 14:34:59 -------- d-----w- c:\program files\Panda Security
2011-01-30 20:14:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 20:13:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 15:45:12 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-01-30 15:45:12 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-30 02:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 02:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B42C439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b4327b8]; MOV EAX, [0x8b432834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B46DAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B17E678]
\Driver\atapi[0x8B4437B8] -> IRP_MJ_CREATE -> 0x8B42C439
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B42C27F
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 4:40:41.56 ===============



I have also attached a new Attach.txt zipped up for your viewing.

New GMER (could not put it in last post as it was too long)

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-25 07:19:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: d:\NOTENC~1\uxliipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\NetopiaRC\Tb2Device.sys ZwEnumerateValueKey [0xBA4011F4]
SSDT \SystemRoot\NetopiaRC\Tb2Device.sys ZwQueryValueKey [0xBA401223]
SSDT \SystemRoot\NetopiaRC\Tb2Device.sys ZwSetValueKey [0xBA401252]

INT 0x01 \??\d:\NOTENC~1\mbr.sys BA491C42

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xB9D347BE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9D34676]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9D34610]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9D34624]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9D3468A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9D346B6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9D3472A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9D34740]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9D347FE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9D3476C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9D34662]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9D345D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9D345E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB9D347D2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9D347A8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9D346FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9D346A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9D34794]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9D34780]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9D3464E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9D3463A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9D3482D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9D34756]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9D34814]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9D347E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B9D347EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B9D347C2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B9D34802 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 1 Byte [E9]
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B9D34818 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B9D347D6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B9D345D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B9D345EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B9D3463E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B9D34628 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B9D34614 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B9D34652 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B9D34831 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP B9D3475A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP B9D34700 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP B9D346A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP B9D3467A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP B9D3468E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP B9D346BA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP B9D3472E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP B9D34666 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP B9D347AC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP B9D34784 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 806255B8 7 Bytes JMP B9D34744 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP B9D34798 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP B9D34770 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7C6B360, 0x30A247, 0xE8000020]
init C:\WINDOWS\system32\drivers\egatebus.sys entry point in "init" section [0xB9CABC12]
init C:\WINDOWS\NetopiaRC\Tb2Device.sys entry point in "init" section [0xBA402000]
? d:\NOTENC~1\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E10000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E10F5C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E10F81
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E10F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E10FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E10040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E10F13
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E10F2E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E10EE4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E10087
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02E10098
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02E1005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02E1001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02E10F4B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02E10FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02E10FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02E10076
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02E00014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02E00F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02E00FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02E00FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02E00054
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02E00FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02E00039
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02E00FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02DF0053
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] msvcrt.dll!system 77C293C7 5 Bytes JMP 02DF0038
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02DF000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02DF0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02DF0027
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02DF0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02DE0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02DD0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02DD000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02DD0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[240] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 02DD0025
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F77
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C1006C
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C1005B
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10FA8
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10098
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C1007D
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F21
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C100C4
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C100D5
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C10F52
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C100A9
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F86
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F97
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C00039
.text C:\WINDOWS\system32\svchost.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00FA8
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0038
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF001D
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF000C
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FB7
.text C:\WINDOWS\system32\svchost.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FD2
.text C:\WINDOWS\system32\svchost.exe[684] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[684] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[684] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\svchost.exe[684] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\svchost.exe[684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01330FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01330F46
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01330F57
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0133003B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01330F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01330F94
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01330073
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01330062
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01330EF5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01330F06
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 013300A9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01330F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01330FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01330F35
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01330FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01330000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01330084
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01320047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0132008E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0132002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01320011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01320073
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01320000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01320058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01320FDB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01310069
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 0131004E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01310022
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01310000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01310033
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01310011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01300000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 012F0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 012F0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 012F0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[736] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 012F000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 24C10FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 24C1006E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 24C10F83
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 24C10051
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 24C10F94
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 24C1001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 24C100AD
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 24C1009C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 24C100E3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 24C100C8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 24C10F2F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 24C10036
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 24C10FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 24C1007F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 24C1000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 24C10FC3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 24C10F4A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 24BF0F89
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] msvcrt.dll!system 77C293C7 5 Bytes JMP 24BF0014
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 24BF0FB5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 24BF0FE3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 24BF0FA4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 24BF0FD2
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 24C00FC0
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 24C00F5E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 24C00FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 24C0001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 24C00F6F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 24C0000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 24C00F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, AC] {LOOPNZ 0xffffffffffffffae}
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 24C00FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 24BE0000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 24BD0000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 24BD0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 24BD0FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[756] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 24BD002F
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D2000C
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0025
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F94
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0051
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0FAF
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\Explorer.EXE[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0036
.text C:\WINDOWS\Explorer.EXE[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D005D
.text C:\WINDOWS\Explorer.EXE[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D0038
.text C:\WINDOWS\Explorer.EXE[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D0FC8
.text C:\WINDOWS\Explorer.EXE[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D001D
.text C:\WINDOWS\Explorer.EXE[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FE3
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 07120000
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0712006F
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 07120F7A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 07120F97
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 07120FA8
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 07120FCA
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 07120F42
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0712008A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 071200D4
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 07120F31
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 071200E5
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 07120FB9
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0712001B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 07120F5F
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 07120FDB
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeA 7C860B7C 3 Bytes JMP 0712002C
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeA + 4 7C860B80 1 Byte [8A]
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!WinExec 7C8623AD 3 Bytes JMP 071200A5
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!WinExec + 4 7C8623B1 1 Byte [8A]
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 07110FB9
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 07110051
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 07110FCA
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 07110000
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 07110040
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 07110FE5
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 07110F9E
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [31, 8F]
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 07110025
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 07100FAB
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 07100036
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 07100011
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 07100FE3
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 07100FC6
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 07100000
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 070E0000
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 070E0025
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 070E0FEF
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 070E0FDE
.text C:\WINDOWS\system32\services.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 070F0FE5
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0166000A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 016600A9
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01660098
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01660087
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0166006C
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01660FCA
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016600BA
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01660F72
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01660F3C
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01660F4D
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01660F2B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0166005B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01660FEF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01660F8F
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01660036
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0166001B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 016600CB
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01650011
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01650058
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01650FCA
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01650FE5
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01650047
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01650000
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01650F9B
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [85, 89]
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0165002C
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01640FA6
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 01640FB7
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0164000C
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01640FEF
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01640027
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01640FDE
.text C:\WINDOWS\system32\lsass.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01630FE5
.text C:\WINDOWS\system32\lsass.exe[1080] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0161000A
.text C:\WINDOWS\system32\lsass.exe[1080] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0161001B
.text C:\WINDOWS\system32\lsass.exe[1080] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01610FDB
.text C:\WINDOWS\system32\lsass.exe[1080] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 0161002C
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70086
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E70075
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70F9B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70058
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E7003D
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E70F5B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70F6C
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E700BE
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E70F25
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E70F0A
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E70FB6
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E70097
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E7002C
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E70F40
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E60FDB
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E60F9E
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E60036
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E60FAF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E60051
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E60FCA
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50FCD
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50FDE
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50033
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50044
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50018
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00E30025
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00E30040
.text C:\WINDOWS\system32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F6B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00056
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00F7C
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A0002F
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00F8D
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F3D
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F4E
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A000B4
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F11
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A00F00
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A00014
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A00085
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A00FB2
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A00F2C
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0040
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0F9E
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0051
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0FB9
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0FCA
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0033
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0044
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E000C
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 009D0025
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 009D0FDE
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F6B
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F90
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A0006A
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00043
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FB2
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A000A7
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A0008C
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A000DD
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A000CC
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A00F33
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A00FA1
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A0007B
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A00F44
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0FA1
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0FB2
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0FC3
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0040
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E004E
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0029
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 009D0FDB
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 009D0011
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 009D002C
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0068
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F73
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F90
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FA1
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F4E
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0096
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0F18
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00BB
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FD0F07
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FD0FB2
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FD0079
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FD0F33
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0051
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0F94
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FC0FA5
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1C, 89] {SBB AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC002C
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0069
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0FDE
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB004E
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB001D
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F90014
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F90FDE
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00F90FCD
.text C:\WINDOWS\system32\svchost.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF007D
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F88
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F6D
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00A9
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00D0
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F37
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FF0F26
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FF0098
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FF0F5C
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F72
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0F8D
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0F81
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0F92
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0FC1
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD000C
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FD2
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F60FCA
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00F60FAF
.text C:\WINDOWS\system32\svchost.exe[1932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70F72
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D7005D
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70F83
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70040
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70FAF
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70F46
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D7008E
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D70F06
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D700A9
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D70EF5
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D70F94
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D70F57
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D7000A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D70F35
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20F72
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F83
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20F9E
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FB9
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10FB7
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FC8
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D1001D
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D1002E
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D1000C
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FE5
.text C:\Program Files\Microsoft Office Communicator\communicator.exe[2024] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 330BD62A C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0094000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0095000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0093000C
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D5008C
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F97
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D5005B
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D500A7
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50F5F
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50F29
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D500C2
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D500DD
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D50F7C
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D50036
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\svchost.exe[2988] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D50F44
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40FB9
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40F97
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40014
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40054
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D40FA8
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F4, 88]
.text C:\WINDOWS\system32\svchost.exe[2988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D4002F
.text C:\WINDOWS\system32\svchost.exe[2988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D3003A
.text C:\WINDOWS\system32\svchost.exe[2988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\system32\svchost.exe[2988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\svchost.exe[2988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\svchost.exe[2988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[2988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30029
.text C:\WINDOWS\system32\svchost.exe[2988] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[2988] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[2988] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[2988] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00D20FC3
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001E0000
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001E0F63
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001E0058
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001E0F8A
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001E0047
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001E002C
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001E0F1A
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001E0F2B
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001E007D
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001E0EE4
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001E008E
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001E0FA5
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001E0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001E0F52
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001E001B
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001E0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001E0EFF
.text C:\WINDOWS\system32\wuauclt.exe[3080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0067
.text C:\WINDOWS\system32\wuauclt.exe[3080] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D004C
.text C:\WINDOWS\system32\wuauclt.exe[3080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D0016
.text C:\WINDOWS\system32\wuauclt.exe[3080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0027
.text C:\WINDOWS\system32\wuauclt.exe[3080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FD2
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002E0FD1
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002E0062
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002E0022
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002E0011
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002E0047
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002E0000
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002E0FA5
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4E, 88]
.text C:\WINDOWS\system32\wuauclt.exe[3080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002E0FC0
.text C:\WINDOWS\system32\wuauclt.exe[3080] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00680000
.text C:\WINDOWS\system32\wuauclt.exe[3080] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00680FE5
.text C:\WINDOWS\system32\wuauclt.exe[3080] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00680FCA
.text C:\WINDOWS\system32\wuauclt.exe[3080] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00680FAF
.text C:\WINDOWS\system32\wuauclt.exe[3080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001E0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001E0F81
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001E0F92
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001E006C
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001E0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001E0040
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001E0F3F
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001E0091
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001E00CE
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001E00BD
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001E0F1A
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001E0051
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001E000A
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001E0F66
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001E0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001E001B
.text C:\WINDOWS\system32\wuauclt.exe[3808] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001E00A2
.text C:\WINDOWS\system32\wuauclt.exe[3808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3808] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D004E
.text C:\WINDOWS\system32\wuauclt.exe[3808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D0018
.text C:\WINDOWS\system32\wuauclt.exe[3808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0033
.text C:\WINDOWS\system32\wuauclt.exe[3808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002E0FB2
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002E0043
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002E0FCD
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002E0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002E0F90
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002E0032
.text C:\WINDOWS\system32\wuauclt.exe[3808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002E0FA1
.text C:\WINDOWS\system32\wuauclt.exe[3808] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\wuauclt.exe[3808] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0068000A
.text C:\WINDOWS\system32\wuauclt.exe[3808] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0068001B
.text C:\WINDOWS\system32\wuauclt.exe[3808] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 0068002C
.text C:\WINDOWS\system32\wuauclt.exe[3808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90087
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F88
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90062
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90051
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90040
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F900BA
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F900A9
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900E6
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F900CB
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F90F28
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F90FB9
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F90098
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F90FD4
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F90025
.text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F90F57
.text C:\WINDOWS\system32\wuauclt.exe[3836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70F9F
.text C:\WINDOWS\system32\wuauclt.exe[3836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70FB0
.text C:\WINDOWS\system32\wuauclt.exe[3836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70016
.text C:\WINDOWS\system32\wuauclt.exe[3836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\wuauclt.exe[3836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FC1
.text C:\WINDOWS\system32\wuauclt.exe[3836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FD2
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F8005E
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80025
.text C:\WINDOWS\system32\wuauclt.exe[3836] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\wuauclt.exe[3836] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\wuauclt.exe[3836] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\wuauclt.exe[3836] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00F50FAF
.text C:\WINDOWS\system32\wuauclt.exe[3836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0095
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0070
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D005F
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D004E
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FB6
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00D7
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00BC
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0114
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0103
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001D0F60
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001D003D
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001D0000
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001D0F85
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001D0022
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001D0011
.text C:\WINDOWS\Explorer.EXE[4772] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001D00E8
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FDB
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0091
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0022
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0011
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0076
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0FCA
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\Explorer.EXE[4772] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0051
.text C:\WINDOWS\Explorer.EXE[4772] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0025
.text C:\WINDOWS\Explorer.EXE[4772] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D0F9A
.text C:\WINDOWS\Explorer.EXE[4772] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D0FB5
.text C:\WINDOWS\Explorer.EXE[4772] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D0FE3
.text C:\WINDOWS\Explorer.EXE[4772] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0014
.text C:\WINDOWS\Explorer.EXE[4772] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FD2
.text C:\WINDOWS\Explorer.EXE[4772] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002F000A
.text C:\WINDOWS\Explorer.EXE[4772] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002F0FE5
.text C:\WINDOWS\Explorer.EXE[4772] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002F0FCA
.text C:\WINDOWS\Explorer.EXE[4772] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 002F0FB9
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D000A
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D006A
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0F6B
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F7C
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0F97
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FA8
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00B3
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00A2
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0F35
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F50
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001D00E9
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001D002F
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001D007B
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001D0FC3
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001D0FDE
.text C:\WINDOWS\System32\svchost.exe[5536] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001D00CE
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C001B
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F83
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FC0
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0000
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0F94
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0036
.text C:\WINDOWS\System32\svchost.exe[5536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FAF
.text C:\WINDOWS\System32\svchost.exe[5536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0041006B
.text C:\WINDOWS\System32\svchost.exe[5536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00410050
.text C:\WINDOWS\System32\svchost.exe[5536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0041002E
.text C:\WINDOWS\System32\svchost.exe[5536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00410000
.text C:\WINDOWS\System32\svchost.exe[5536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0041003F
.text C:\WINDOWS\System32\svchost.exe[5536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0041001D
.text C:\WINDOWS\System32\svchost.exe[5536] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[5536] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00690014
.text C:\WINDOWS\System32\svchost.exe[5536] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00690025
.text C:\WINDOWS\System32\svchost.exe[5536] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00690040
.text C:\Program Files\Mozilla Firefox\firefox.exe[6000] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 015A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6000] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 015B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6000] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0159000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs CMGShCEF.sys (CMG Shield for Windows Driver/CREDANT Technologies, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B42C27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8B42C27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B42C27F

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskHitachi_HTS722016K9A300_________________DCDOCA1H#38303730333050444430303856444d475a364347#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Files - GMER 1.0.15 ----

File C:\RECYCLER\S-1-5-21-682003330-1035525444-1801674531-21960\CredDB.CEF 888 bytes
File C:\System Volume Information\_restore{55C11BCB-2FE8-498F-93E5-6905A96DE146}\RP684\CredDB.CEF 1184 bytes
File C:\Documents and Settings\All Users\Documents\My Music\Sample Music\CredDB.CEF 626 bytes
File C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\3618A\CredDB.CEF 3688 bytes
File C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\CredDB.CEF 1480 bytes
File C:\Documents and Settings\rathert\Application Data\Microsoft\Outlook\CredDB.CEF 3256 bytes
File C:\Documents and Settings\rathert\Desktop\CredDB.CEF 5836 bytes
File C:\Documents and Settings\rathert\Desktop\Gtab Files\CredDB.CEF 888 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Identities\{AEB7F6BD-701B-4FBF-9713-77E68F9A124A}\Microsoft\Outlook Express\CredDB.CEF 3552 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Microsoft\Communicator\CredDB.CEF 888 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Microsoft\Outlook\OAB\CredDB.CEF 1776 bytes
File C:\Documents and Settings\rathert\Local Settings\Application Data\Microsoft\Outlook\CredDB.CEF 4146 bytes
File C:\Documents and Settings\rathert\Local Settings\Temporary Internet Files\Content.IE5\3YW7V4QN\CredDB.CEF 32642 bytes
File C:\Documents and Settings\rathert\Local Settings\Temporary Internet Files\Content.IE5\CredDB.CEF 296 bytes
File C:\Documents and Settings\rathert\Local Settings\Temporary Internet Files\Content.IE5\DBENXN2Z\CredDB.CEF 32612 bytes
File C:\Documents and Settings\rathert\Local Settings\Temporary Internet Files\Content.IE5\UVRE51YK\CredDB.CEF 32352 bytes
File C:\Documents and Settings\rathert\Local Settings\Temporary Internet Files\Content.IE5\XHKBX0FF\CredDB.CEF 32022 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#3 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 25 February 2011 - 12:56 PM

Did some more work and found FixTDSS.exe at symantec.com and it fixed the redirects. I am sure I still have other problems but I will wait to post new logs until someone is actually helping me. No reason to keep bumping my post to the top when I am in line for help.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:57 PM

Posted 27 February 2011 - 12:02 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 27 February 2011 - 12:17 AM

I can not get DeFogger to run on my machine. I have admin access but it will not work. Should I just go ahead and run the scans or ??

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:57 PM

Posted 27 February 2011 - 12:26 AM

yes just go to the next step


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 27 February 2011 - 12:26 AM

Never mind I got it to work, its funny that I was able to re set my administrator account password from my current account that I could not run defogger on... Logs to follow as soon as I can get them done.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:57 PM

Posted 27 February 2011 - 12:36 AM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 27 February 2011 - 12:42 AM

Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/14/2008 6:47:47 PM
System Uptime: 2/26/2011 12:39:26 PM (8 hours ago)

Motherboard: Dell Inc. | |
Processor: Intel® Core™2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2194/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 30 GiB total, 7.95 GiB free.
D: is FIXED (NTFS) - 119 GiB total, 31.751 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader X (10.0.1)
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AviSynth 2.5
BigFix Enterprise Client
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Gigabit Integrated Controller
BSB Reader
CCleaner
CMG Windows Shield
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Driver Download Manager
Dell Touchpad
Dell Wireless WLAN Card
DOX 2.0
DOXConvertor
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Entrust Desktop Solutions
ESET Online Scanner v3
Eudora (8.0b6)
FileZilla Client 3.1.5
Garmin MapSource
GDR 3080 for SQL Server Database Services 2005 ENU (KB970895)
GDR 3080 for SQL Server Tools and Workstation Components 2005 ENU (KB970895)
Google Earth
Google Talk (remove only)
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Client Automation Application Manager Agent
HPCarePackCore
HPCarePackProducts
HTC Driver Installer
HTC Sync
i-Handbook
I8kfanGUI V3.1
Image Resizer Powertoy for Windows XP
iTunes
Jalbum
Jalbum 8.0
Java Auto Updater
Java™ 6 Update 24
kPod
Lexmark S300-S400 Series
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
MapSource
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Media Player Codec Pack 3.4.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Conferencing Add-in for Microsoft Office Outlook
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Managed DirectX (1126)
Microsoft Office Access 2003 Runtime
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (DRILLING)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Microsoft XML Parser and SDK
Mozilla Firefox (3.0.8)
Mozilla Firefox (3.6.13)
MrvlUsgTracking
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MWSnap 3
Norton Ghost
NVIDIA Drivers
PDFCreator
PDSView 3.2
Picasa 3
Post-itŪ Software Notes Lite
PowerDVD
QuickTime
Radia Software Manager Subscriber
Rights Management Add-on for Internet Explorer
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Schlumberger DeXa.Badge SCUK 4.4.4.1 Commercial
Schlumberger Licensing
Schlumberger PC Security
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Segoe UI
SigmaTel Audio
SLB Classification
Sonic Activation Module
Timbuktu Pro
Time Zone Data Update Tool for Microsoft Office Outlook
Update for Windows Internet Explorer 7 (KB980182)
Visual FoxPro ODBC Driver
VLC media player 1.1.4
WebEx
WebEx Meeting Manager for Firefox/Netscape/Chrome
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Enterprise Deployment
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WinZip 14.5
WinZip Command Line Support Add-On 2.0
Wondershare Video Converter Ultimate(Build 5.5.1.0)
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

2/25/2011 9:38:15 AM, error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
2/25/2011 7:24:53 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/25/2011 6:27:24 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD8-2166-11D1-B1D0-00805FC1270E}
2/25/2011 4:56:15 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126ADB-2166-11D1-B1D0-00805FC1270E}
2/25/2011 4:35:06 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
2/25/2011 12:50:08 AM, error: Service Control Manager [7022] - The Tb2 Launch service hung on starting.
2/24/2011 5:02:38 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
2/24/2011 3:48:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/24/2011 2:37:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk pavboot Tosrfcom
2/24/2011 2:37:04 AM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 2:37:04 AM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
2/24/2011 2:36:04 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/24/2011 1:26:25 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee McShield service, but this action failed with the following error: An instance of the service is already running.
2/24/2011 1:25:25 AM, error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/24/2011 1:25:22 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
2/24/2011 1:24:18 AM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
2/24/2011 1:24:18 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxeaCATSCustConnectService service to connect.
2/24/2011 1:24:18 AM, error: Service Control Manager [7005] - The LoadUserProfile call failed with the following error: %%3221225477
2/24/2011 1:24:18 AM, error: Service Control Manager [7000] - The lxeaCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2011 1:22:56 AM, error: Print [23] - Printer HP LaserJet P1006 failed to initialize because a suitable HP LaserJet P1006 driver could not be found.
2/24/2011 1:21:23 AM, error: Service Control Manager [7034] - The Tb2 Launch service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:23 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The SQL Server (DRILLING) service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The SigmaTel Audio Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The Norton Ghost service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The McAfee Engine Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The lxea_device service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The HP OVCM Scheduler Daemon service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The HP OVCM Notify Daemon service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The HP OVCM MSI Redirector service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The Entrust Login Interface service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:22 AM, error: Service Control Manager [7031] - The Juniper Network Connect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/24/2011 1:21:22 AM, error: Service Control Manager [7031] - The BES Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/24/2011 1:21:21 AM, error: Service Control Manager [7034] - The EMS service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:21 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:21 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 1:21:21 AM, error: Service Control Manager [7031] - The CMG Shield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Reboot the machine.
2/24/2011 1:21:21 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/24/2011 1:10:28 AM, error: NETLOGON [5719] - No Domain Controller is available for domain NAM due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
2/23/2011 6:10:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk ohci1394 pavboot Tosrfcom
2/23/2011 6:09:32 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/23/2011 12:01:04 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
2/23/2011 1:05:51 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{5AE13C25-052F-41A7-A289-1FA9F4A47EBB} because another computer on the network has the same name. The server could not start.
2/22/2011 12:09:11 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
2/19/2011 6:51:19 PM, error: Dhcp [1002] - The IP address lease 191.168.1.4 for the Network Card with network address 001FE2C69532 has been denied by the DHCP server 191.168.1.254 (The DHCP Server sent a DHCPNACK message).
2/19/2011 11:52:02 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the EMS service to connect.
2/19/2011 11:52:02 PM, error: Service Control Manager [7000] - The EMS service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

DDS.TXT

DDS (Ver_10-12-12.02) - NTFSx86
Run by rathert at 20:29:56.57 on Sat 02/26/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2488 [GMT -9:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
"C:\WINDOWS\system32\svchost.exe"
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxeacoms.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Novadigm\radexecd.exe
C:\PROGRA~1\Novadigm\radsched.exe
C:\PROGRA~1\Novadigm\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\HTC\HTC Sync\Sync Manager\syncindicator.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\rathert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Schlumberger
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://hub.slb.com
uDefault_Page_URL = hxxp://hub.slb.com
mDefault_Page_URL = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Password Reminder] remind.vbs
mRun: [TLogonPath] "c:\program files\timbuktu pro\\minitb2.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [EFS] c:\windows\system32\wscript.exe c:\progra~1\novadigm\SLB_EFS.VBS
mRun: [Norton Ghost 12.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [RUNRADTRAY] c:\progra~1\novadigm\radtray.exe
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {409C0FFE-1E5F-4195-A349-4C13306692DE} - hxxps://www.interact.slb.com/webdd/TimePlotNew.CAB
DPF: {4409A1D5-C9D3-4DC0-98FE-126B08435A9A} - hxxps://www.interact.slb.com/webdd/LgWrapper2.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://sisevents.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} - hxxps://www.interact.slb.com/webdd/LgWrapper.CAB
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gateway.slb.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://gateway.slb.com/dana-cached/sc/JuniperSetupClient.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No File
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rathert\applic~1\mozilla\firefox\profiles\ypi99ins.default\
FF - plugin: c:\documents and settings\rathert\application data\mozilla\firefox\profiles\ypi99ins.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: d:\program files\google\picasa3\npPicasa2.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2009-4-8 404592]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-21 343664]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-1-16 14464]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [2009-4-8 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [2009-4-8 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [2007-5-7 52432]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-21 70728]
R2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-9-6 29180768]
R2 Radexecd;HP OVCM Notify Daemon;c:\progra~1\novadigm\radexecd.exe [2010-5-24 300776]
R2 Radsched;HP OVCM Scheduler Daemon;c:\progra~1\novadigm\radsched.exe [2010-5-24 194280]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\novadigm\Radstgms.exe [2010-5-24 333544]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2005-3-1 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2005-3-1 10752]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-21 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-21 43288]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2011-1-12 193192]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2009-4-8 161128]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;c:\windows\system32\drivers\el589nd5.sys [2008-1-15 26141]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [2005-1-10 10240]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2008-1-14 62048]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-6-29 24576]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-21 65448]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\ora817\bin\dbsnmp.exe --> c:\oracle\ora817\bin\dbsnmp.exe [?]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\ora817\bin\onrsd.exe --> c:\oracle\ora817\bin\ONRSD.EXE [?]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\ora817\bin\vppdc.exe --> c:\oracle\ora817\bin\vppdc.exe [?]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\ora817\apache\apache\apache.exe --> c:\oracle\ora817\apache\apache\Apache.exe [?]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\ora817/bin/pagntsrv.exe --> c:\oracle\Ora817/bin/pagntsrv.exe [?]
S3 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\ora817\bin\tnslsnr --> c:\oracle\ora817\bin\TNSLSNR [?]
S3 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\oracle.exe gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2008-8-31 9472]
S4 R72_NT4;R72_NT4;c:\windows\system32\drivers\r72_nt4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S4 R72V2NT4;R72V2NT4; [x]

=============== Created Last 30 ================

2011-02-25 21:52:03 823296 ----a-w- c:\program files\mozilla firefox\plugins\webex\1124\atwbxui10.dll
2011-02-25 10:55:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-25 10:55:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-25 10:55:31 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-02-24 18:41:41 -------- d-----w- c:\program files\ESET
2011-02-23 20:43:54 156160 ----a-w- c:\windows\system32\WS_ContextMenu.dll
2011-02-23 17:20:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\xml_param
2011-02-22 12:34:49 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-02-22 12:34:49 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2011-02-18 15:31:40 -------- d-----w- c:\docume~1\rathert\applic~1\AnvSoft
2011-01-31 14:34:59 -------- d-----w- c:\program files\Panda Security
2011-01-30 20:14:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 20:13:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 15:45:12 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-01-30 15:45:12 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-30 02:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 02:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B3AF1F0]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP1T0L0-e[0x8B494B00]
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
user != kernel MBR !!!

============= FINISH: 20:30:59.73 ===============

RKUnHooker Log:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8ED0000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6864896 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 156.83 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 5746688 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 156.83 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB79E7000 C:\WINDOWS\system32\drivers\sthda.sys 1171456 bytes (SigmaTel, Inc., NDRC)
0xB8D5D000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 1126400 bytes (Broadcom Corp., Broadcom 802.11 Network Adapter wireless driver)
0xB789D000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB77EA000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9DBE000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB8C8A000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0xB9E83000 CMGShCEF.sys 458752 bytes (CREDANT Technologies, Inc., CMG Shield for Windows Driver)
0xB7563000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8BB1000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB7736000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB4AB1000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB9D25000 mfehidk.sys 335872 bytes (McAfee, Inc., McAfee Link Driver)
0xBF58D000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB3569000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB798F000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB8C0F000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB4C20000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D91000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB8D06000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 180224 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xB8D32000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 176128 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xAD493000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB75D3000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8E70000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB770E000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB76E8000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAD629000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB79C3000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8E98000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8C67000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB7626000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB9E62000 symsnap.sys 135168 bytes (StorageCraft, StorageCraft Volume Snap-Shot)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EF3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9F4A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB7547000 C:\WINDOWS\system32\DRIVERS\tosrfbd.sys 114688 bytes (TOSHIBA CORPORATION, Bluetooth RF Bus Driver)
0xB9D77000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F13000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9E4B000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8C50000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB41B8000 C:\WINDOWS\system32\drivers\mfeavfk.sys 86016 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xB4574000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8EBC000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB778F000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB74E5000 C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys 73728 bytes (TOSHIBA Corporation., Bluetooth HID Driver from TOSHIBA)
0xB41F5000 C:\WINDOWS\system32\drivers\mfeapfk.sys 69632 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8C3F000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA268000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB95BC000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA138000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA108000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA238000 C:\WINDOWS\System32\Drivers\oz776.sys 65536 bytes (O2Micro, O2Micro USB CCID SmartCard Reader)
0xB95DC000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB959C000 C:\WINDOWS\System32\Drivers\tosrfcom.sys 65536 bytes (TOSHIBA Corporation, Bluetooth RFCOMM Driver)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA188000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB95AC000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB48A9000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA178000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA118000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA1B8000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA318000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB958C000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB95EC000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB507D000 C:\WINDOWS\system32\etfsdrv.sys 49152 bytes (Entrust Technologies Ltd., Entrust File System Hook Driver)
0xB956C000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA1F8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB95CC000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB957C000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\tosporte.sys 45056 bytes (TOSHIBA Corporation, TOSHIBA Bluetooth Port Emulation Driver)
0xBA208000 C:\WINDOWS\system32\DRIVERS\tosrfusb.sys 45056 bytes (TOSHIBA CORPORATION, Bluetooth USB Miniport Driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA168000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA148000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB4DB5000 C:\WINDOWS\system32\drivers\bcmwlnpf.sys 36864 bytes (CACE Technologies, npf)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA228000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA308000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB4356000 C:\WINDOWS\system32\drivers\mfebopk.sys 36864 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xB955C000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAD51E000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA1A8000 C:\WINDOWS\NetopiaRC\Tb2MirrorSys.sys 36864 bytes (Netopia, Inc., Windows 2000 Remote Control Port Driver)
0xBA248000 C:\WINDOWS\System32\Drivers\tosrfbnp.sys 36864 bytes (TOSHIBA Corporation, Bluetooth RFBNEP Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA460000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA4A0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA4B0000 C:\WINDOWS\System32\Drivers\tcusb.sys 32768 bytes (UPEK Inc., TouchChip USB Kernel Driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA418000 C:\WINDOWS\system32\DRIVERS\v2imount.sys 32768 bytes (Symantec Corporation, V2iMount.sys - Image Mounting Device Driver)
0xBA480000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA478000 d:\NOTENC~1\mbr.sys 28672 bytes
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA440000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA438000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA488000 C:\WINDOWS\NetopiaRC\Tb2Device.sys 24576 bytes
0xBA420000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA490000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA378000 C:\WINDOWS\System32\drivers\aspi32.sys 20480 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xBA498000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA450000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA458000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA448000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA4A8000 C:\WINDOWS\system32\DRIVERS\tosrfnds.sys 20480 bytes (TOSHIBA Corporation., Bluetooth BNEP Driver)
0xBA340000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB9C5C000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB7616000 C:\WINDOWS\system32\drivers\fanio.sys 16384 bytes (Christian Diefer, I8k Fan I/O)
0xB49D9000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xB9634000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB4F9D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9C64000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB962C000 C:\WINDOWS\system32\drivers\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB7527000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9C54000 C:\WINDOWS\system32\drivers\egatebus.sys 12288 bytes (axalto, e-gate PC/SC Bus Driver)
0xB9630000 C:\WINDOWS\system32\drivers\egaterdr.sys 12288 bytes (axalto, e-gate PC/SC Reader Driver)
0xB760E000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB760A000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9CED000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9CA0000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB9C58000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5D4000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5D2000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5D6000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5D8000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5CA000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5CE000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7A6000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA693000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7DA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


My computer has been fine since I ran the FixTDSS from Symantec, however I wanted to be sure I was completly free of rootkits and the like.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:57 PM

Posted 27 February 2011 - 12:46 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 27 February 2011 - 01:18 AM

ComboFix 11-02-25.02 - rathert 02/26/2011 21:09:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2685 [GMT -9:00]
Running from: c:\documents and settings\rathert\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG145.tmp
C:\LOG1ED.tmp
C:\LOG39.tmp
c:\windows\system\oeminfo.ini
c:\windows\system32\pcs
c:\windows\system32\pcs\EST\est04028_exe.exe
c:\windows\system32\pcs\EST\est04028_results.xml
c:\windows\system32\pcs\EST\est04028_xml.xml
c:\windows\system32\pcs\EST\est05022_exe.exe
c:\windows\system32\pcs\EST\est05022_results.xml
c:\windows\system32\pcs\EST\est05022_xml.xml
c:\windows\system32\pcs\mbsacli2.exe
c:\windows\system32\pcs\PCS.vbs
c:\windows\system32\pcs\WINDOWSUPDATEAGENT20-X86.EXE
c:\windows\system32\pcs\wsusscan.cab
c:\windows\system32\pcs\wsusscn2.cab
c:\windows\system32\pcs\wusscan.dll

.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-25 21:52 . 2011-02-25 21:52 823296 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\1124\atwbxui10.dll
2011-02-25 11:04 . 2011-02-25 11:04 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-02-25 10:55 . 2011-02-25 10:55 -------- d-----w- c:\program files\Common Files\Java
2011-02-25 10:55 . 2011-02-25 10:54 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-25 10:55 . 2011-02-25 10:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-25 10:55 . 2011-02-25 10:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-24 18:41 . 2011-02-24 18:41 -------- d-----w- c:\program files\ESET
2011-02-23 20:43 . 2010-12-18 18:58 156160 ----a-w- c:\windows\system32\WS_ContextMenu.dll
2011-02-23 17:20 . 2011-02-23 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2011-02-22 12:34 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-02-22 12:34 . 2010-12-22 12:34 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2011-02-18 15:31 . 2011-02-18 15:31 -------- d-----w- c:\documents and settings\rathert\Application Data\AnvSoft
2011-01-31 20:02 . 2011-01-31 20:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-31 14:34 . 2011-01-31 14:34 -------- d-----w- c:\program files\Panda Security
2011-01-30 20:14 . 2010-12-21 03:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 20:13 . 2010-12-21 03:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 12:55 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-30 02:38 . 2010-11-30 02:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 02:38 . 2010-11-30 02:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-12-05 09:41 . 2009-03-06 21:06 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-02-25 21:51 . 2009-03-06 21:06 449848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-07-15 20:57 . 2009-03-06 21:07 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-05 19:00 . 2009-06-05 19:00 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"TLogonPath"="c:\program files\Timbuktu Pro\\minitb2.exe" [2006-10-24 1028096]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5730144]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"EmsService"="EmsServiceHelper.exe" [2009-04-08 1967464]
"EFS"="c:\windows\SYSTEM32\WScript.EXE" [2008-05-08 155648]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-11-13 2037096]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-11 136512]
"RUNRADTRAY"="c:\progra~1\Novadigm\radtray.exe" [2010-05-24 481000]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2010-05-05 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2010-05-05 148280]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

c:\documents and settings\dd\Start Menu\Programs\Startup\
Shortcut to TO DO.lnk - d:\work stuff\TO DO.doc [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 18:13 161128 ----a-w- c:\windows\system32\CmgShieldNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 00:44 34304 ----a-w- c:\windows\system32\ScCertProp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 18:18 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-151122\Scripts\Logon\0\0]
"Script"=changeprofile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-151122\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\RadUIShell.exe"= c:\\Program Files\\Novadigm\\raduishell.exe
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxeacoms.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52311:UDP"= 52311:UDP:BES Client
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/8/2009 9:14 AM 404592]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [1/16/2008 7:37 PM 14464]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/8/2009 9:11 AM 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 9:08 AM 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [5/7/2007 1:19 PM 52432]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/31/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/21/2011 2:03 PM 70728]
R2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [9/6/2009 4:19 AM 29180768]
R2 Radexecd;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [5/24/2010 1:18 PM 300776]
R2 Radsched;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [5/24/2010 1:21 PM 194280]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [5/24/2010 1:21 PM 333544]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [3/1/2005 1:43 AM 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [3/1/2005 1:43 AM 10752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2010 3:42 AM 136176]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [1/12/2011 12:53 PM 193192]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 9:13 AM 161128]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;c:\windows\system32\drivers\el589nd5.sys [1/15/2008 10:41 AM 26141]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [1/10/2005 9:49 AM 10240]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [1/14/2008 5:22 PM 62048]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [6/29/2010 9:29 PM 24576]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/21/2011 2:03 PM 65448]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 7:18 PM 23680]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\Ora817\bin\dbsnmp.exe --> c:\oracle\Ora817\bin\dbsnmp.exe [?]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\Ora817\BIN\ONRSD.EXE --> c:\oracle\Ora817\BIN\ONRSD.EXE [?]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\Ora817\bin\vppdc.exe --> c:\oracle\Ora817\bin\vppdc.exe [?]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\Ora817\Apache\Apache\Apache.exe --> c:\oracle\Ora817\Apache\Apache\Apache.exe [?]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\Ora817/bin/pagntsrv.exe --> c:\oracle\Ora817/bin/pagntsrv.exe [?]
S3 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\Ora817\BIN\TNSLSNR --> c:\oracle\Ora817\BIN\TNSLSNR [?]
S3 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\ORACLE.EXE gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [8/31/2008 8:46 PM 9472]
S4 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S4 R72V2NT4;R72V2NT4; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD25
*NewlyCreated* - NORMANDY
*Deregistered* - klmd25
*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2010-12-20 23:08 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6e594033447c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-21 12:42]

2011-02-27 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 22:28]

2011-02-27 c:\windows\Tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]

2011-02-27 c:\windows\Tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: {409C0FFE-1E5F-4195-A349-4C13306692DE} - hxxps://www.interact.slb.com/webdd/TimePlotNew.CAB
DPF: {4409A1D5-C9D3-4DC0-98FE-126B08435A9A} - hxxps://www.interact.slb.com/webdd/LgWrapper2.CAB
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} - hxxps://www.interact.slb.com/webdd/LgWrapper.CAB
FF - ProfilePath - c:\documents and settings\rathert\Application Data\Mozilla\Firefox\Profiles\ypi99ins.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Password Reminder - remind.vbs
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
SafeBoot-klmdb.sys
AddRemove-Mozilla Firefox (3.0.8) - g:\system\Apps\3C9F7B3F-D55C-42cd-8537-B878518B73AF\Exec\firefox\uninstall\helper.exe
AddRemove-RadiaDeinstKey - c:\program files\Novadigm\DeIsL1.isu
AddRemove-WZCLINE - c:\program files\WINZIP\winzip32



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-26 21:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\rathert\Application Data\Microsoft\Outlook\CredDB.CEF 3256 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome817PagingServer]
"ImagePath"="c:\oracle\Ora817/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome817TNSListener]
"ImagePath"="c:\oracle\Ora817\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\CmgShieldNP.dll
c:\windows\system32\ScCertProp.dll
.
Completion time: 2011-02-26 21:15:11
ComboFix-quarantined-files.txt 2011-02-27 06:15

Pre-Run: 8,464,666,624 bytes free
Post-Run: 9,449,418,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F637B91D73FE5A66E9A9A2ECDA7CE994


Here is the log, no problems running ComboFix.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:57 PM

Posted 27 February 2011 - 02:04 AM

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 27 February 2011 - 12:49 PM

MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5891

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/26/2011 10:46:33 PM
mbam-log-2011-02-26 (22-46-33).txt

Scan type: Quick scan
Objects scanned: 185563
Time elapsed: 12 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:29:04 AM, on 2/27/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17095)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\lxeacoms.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Novadigm\radexecd.exe
C:\PROGRA~1\Novadigm\radsched.exe
C:\PROGRA~1\Novadigm\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\\minitb2.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [EFS] C:\WINDOWS\SYSTEM32\WScript.EXE C:\PROGRA~1\NOVADIGM\SLB_EFS.VBS
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O15 - Trusted Zone: http://web.miswaco.com
O15 - Trusted Zone: http://*.smartforce.com
O15 - Trusted Zone: http://smithlink.smith.com
O15 - Trusted Zone: http://www.wilsonconfidential.com
O16 - DPF: {409C0FFE-1E5F-4195-A349-4C13306692DE} (ProEWrap.ProEWrapper) - https://www.interact.slb.com/webdd/TimePlotNew.CAB
O16 - DPF: {4409A1D5-C9D3-4DC0-98FE-126B08435A9A} (Schlumberger Log Graphics Wrapper2) - https://www.interact.slb.com/webdd/LgWrapper2.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sisevents.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} (Schlumberger Log Graphics Wrapper) - https://www.interact.slb.com/webdd/LgWrapper.CAB
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://gateway.slb.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://gateway.slb.com/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = nam.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.slb.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nam.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = nam.slb.com
O20 - Winlogon Notify: CMGShieldNP - CmgShieldNP.dll (file missing)
O20 - Winlogon Notify: slbScCertProp - C:\WINDOWS\system32\ScCertProp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CMG Shield (CMGShield) - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINDOWS\etlisrv.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
O23 - Service: lxea_device - - C:\WINDOWS\system32\lxeacoms.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleOraHome817Agent - Unknown owner - C:\Oracle\Ora817\bin\dbsnmp.exe (file missing)
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\Oracle\Ora817\BIN\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome817DataGatherer - Unknown owner - C:\Oracle\Ora817\bin\vppdc.exe (file missing)
O23 - Service: OracleOraHome817HTTPServer - Unknown owner - C:\Oracle\Ora817\Apache\Apache\Apache.exe (file missing)
O23 - Service: OracleOraHome817PagingServer - Unknown owner - C:\Oracle\Ora817/bin/pagntsrv.exe (file missing)
O23 - Service: OracleOraHome817TNSListener - Unknown owner - C:\Oracle\Ora817\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServicegfpc8 - Unknown owner - c:\oracle\ora817\bin\ORACLE.EXE (file missing)
O23 - Service: HP OVCM Notify Daemon (Radexecd) - Hewlett-Packard - C:\PROGRA~1\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (Radsched) - Hewlett-Packard - C:\PROGRA~1\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\Novadigm\Radstgms.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 16499 bytes

That all ran just fine.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:57 PM

Posted 27 February 2011 - 02:17 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
      O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
      O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\\minitb2.exe"
      O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
      O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
      O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
      O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
      O4 - HKLM\..\Run: [EFS] C:\WINDOWS\SYSTEM32\WScript.EXE C:\PROGRA~1\NOVADIGM\SLB_EFS.VBS
      O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
      O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
      O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
      O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • copy and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 27 February 2011 - 07:25 PM

Removed quite a few of the start ups but not all, a couple of them are important for various reasons.

ESET run and the log is below... nothing found this time, however I have run it in the past (before you were helping me and it found a few. I included the entire log just so you could see what I had before. I put the most recent log in bold font

Computer is working well.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d73dd1b64b6e214f85cfd76e1d7b9fae
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-25 01:51:57
# local_time=2011-02-24 04:51:57 (-0900, Alaskan Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=185239
# found=7
# cleaned=7
# scan_time=24263
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\45\42f606ad-6786113c multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KKDWZAG0\97838d[1].pdf PDF/Exploit.Pidief.PGA.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\rathert\Local Settings\Application Data\Mozilla\Firefox\Profiles\ypi99ins.default\Cache(2)\B87715B7d01 JS/Exploit.Pdfka.NWV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\inf\Auto1.inf INF/Autorun.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\inf\Auto2.inf INF/Autorun.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\autorun.inf Win32/PSW.OnLineGames.NNU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\RECYCLER\S-1-5-21-193378832-1070660909-1809959405-1014\Dd68.inf INF/Autorun.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d73dd1b64b6e214f85cfd76e1d7b9fae
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-26 05:12:29
# local_time=2011-02-25 08:12:29 (-0900, Alaskan Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 23091 23091 0 0
# scanned=188720
# found=1
# cleaned=1
# scan_time=18357
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\289fb50-451790e9 Java/TrojanDownloader.OpenStream.NBH trojan (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d73dd1b64b6e214f85cfd76e1d7b9fae
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-28 12:17:41
# local_time=2011-02-27 03:17:41 (-0900, Alaskan Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 182829 182829 0 0
# scanned=130168
# found=0
# cleaned=0
# scan_time=13728





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users