Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans, Malware repeated infections


  • This topic is locked This topic is locked
4 replies to this topic

#1 Prof.Parry

Prof.Parry

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 11 May 2011 - 09:07 PM

Hello,

This topic is a redirect from the following post with the logs attached here as requested to help me resolve my malware/virus issues.
http://www.bleepingcomputer.com/forums/topic395751.html/page__p__2235811__fromsearch__1#entry2235811

My computer has been repeatedly been attacked by the "XP Security 2011" Malware and all of my browsers IE as well as Firefox redirect to unwarranted sites. I also see repeated hardware exceptions and the "Generic Win32 service" systtem error message to report popup. After that I have observed that the Windows Desktop scheme changes from XP to Classic.

Attached are the logs as requested.

****************DDS*****************************

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Gaurang at 20:16:12.96 on Wed 05/11/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1405 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Documents and Settings\Gaurang\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101104070326.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Download Accelerator Plus Integration: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Google Update] "c:\documents and settings\gaurang\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [SvrWsc]
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/52.07/uploader2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {F9F803E5-559F-4323-8962-1572E758FDA7} - rundll32.exe "ger", UnregisterDll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\gaurang\applic~1\mozilla\firefox\profiles\yo1cv3hz.default\
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\gaurang\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\gaurang\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\gaurang\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {5F69E67D-616A-445E-AFB1-98884C57BC8F} - c:\documents and settings\gaurang\local settings\application data\{5F69E67D-616A-445E-AFB1-98884C57BC8F}
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: XULRunner: {F32BF6CF-F84B-4A23-A469-74E074547C0D} - c:\documents and settings\gaurang\local settings\application data\{F32BF6CF-F84B-4A23-A469-74E074547C0D}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Download Accelerator Plus (DAP) extension: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\program files\dap\DAPFireFox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-20 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-20 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-19 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-20 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-20 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-20 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-20 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-20 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-20 141792]
R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-1-19 30152]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-20 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-20 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-20 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-20 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-20 88544]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-29 135664]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-4 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-29 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-1-26 38224]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-20 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-20 84264]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
.
=============== Created Last 30 ================
.
2011-05-11 23:16:04 230791 --sha-w- c:\docume~1\gaurang\locals~1\applic~1\uwe.exe
2011-05-09 02:19:08 -------- d-----w- c:\docume~1\gaurang\applic~1\SUPERAntiSpyware.com
2011-05-09 02:19:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-09 02:18:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-05 05:24:00 -------- d-----w- c:\documents and settings\gaurang\DoctorWeb
2011-04-14 08:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-05-10 02:38:07 90112 ----a-w- c:\windows\DUMP4a38.tmp
2011-03-26 20:39:49 536 ----a-w- c:\windows\system32\wbrifkpc.rif
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541680J9SA00 rev.SB2OC74P -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A838730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a83ea10]; MOV EAX, [0x8a83ea8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A93DAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000086[0x8A8B6030]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A8B7030]
\Driver\atapi[0x8A93BBF8] -> IRP_MJ_CREATE -> 0x8A838730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A83857B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:19:38.76 ===============


***************************ATTACH************************


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/19/2009 3:08:14 AM
System Uptime: 5/11/2011 8:13:47 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0PF493
Processor: Intel® Celeron® M CPU 430 @ 1.73GHz | Microprocessor | 1728/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 20 GiB total, 3.459 GiB free.
D: is FIXED (NTFS) - 54 GiB total, 16.578 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2: 4/27/2011 3:15:38 PM - System Checkpoint
RP3: 5/3/2011 4:58:05 PM - System Checkpoint
RP4: 5/4/2011 10:49:57 PM - Installed Ad-Aware
RP5: 5/4/2011 10:51:03 PM - Installed Ad-Aware
RP6: 5/5/2011 12:44:13 AM - Removed Ad-Aware
RP7: 5/10/2011 12:08:20 AM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.20
AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaImpression for Kodak
Bonjour
Broadcom 440x 10/100 Integrated Controller
CDisplay 1.8
Conexant HDA D110 MDC V.92 Modem
CutePDF Writer 2.8
Definition update for Microsoft Office 2010 (KB982726)
Dell Resource CD
DivX Setup
Download Accelerator Plus (DAP)
Google Talk (remove only)
Google Talk Plugin
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless WiFi Software
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java™ 6 Update 20
Logitech QuickCam
Logitech® Camera Driver
Malwarebytes' Anti-Malware
McAfee AntiVirus Plus
Media Player Classic - Home Cinema v1.4.2499.0
MediaCoder 0.6.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.6.17)
mProSafe
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MVision
mWlsSafe
MyPhoneExplorer
OGA Notifier 2.0.0048.0
Peck's Power Join
Picasa 3
QuickSet
QuickTime
Safari
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Skype Toolbars
SUPERAntiSpyware
TextPad 4.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft OneNote 2010 (KB2493983)
Update for Microsoft Outlook Social Connector (KB2289116)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.4
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
5/9/2011 9:22:01 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The system cannot find the file specified.
5/9/2011 11:04:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/8/2011 9:32:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec Lbd mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2011 9:32:45 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2011 9:29:39 PM, error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).
5/8/2011 1:40:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/8/2011 1:32:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
5/8/2011 1:32:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/8/2011 1:32:55 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
5/8/2011 1:08:15 PM, error: System Error [1003] - Error code 00000096, parameter1 f78dad1c, parameter2 80562340, parameter3 80562340, parameter4 89adb91a.
5/5/2011 1:17:26 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
5/4/2011 9:41:56 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
5/4/2011 9:41:56 AM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/4/2011 9:40:30 AM, error: Service Control Manager [7001] - The Intel® PROSet/Wireless SSO Service service depends on the Intel® PROSet/Wireless WiFi Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/4/2011 9:40:29 AM, error: Service Control Manager [7000] - The Intel® PROSet/Wireless WiFi Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/4/2011 9:40:28 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intel® PROSet/Wireless WiFi Service service to connect.
5/4/2011 10:42:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
5/4/2011 10:42:20 PM, error: Service Control Manager [7022] - The Google Update Service (gupdate) service hung on starting.
5/4/2011 10:41:28 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
5/4/2011 10:41:05 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
5/4/2011 10:41:05 PM, error: Service Control Manager [7023] - The Intel CPU service terminated with the following error: The specified module could not be found.
5/4/2011 1:00:42 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0019D201C420 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
5/10/2011 10:29:56 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
.
==== End Of File ===========================



***************GMER*****************************************


GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-11 20:42:48
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS541680J9SA00 rev.SB2OC74P
Running: gmer.exe; Driver: C:\DOCUME~1\Gaurang\LOCALS~1\Temp\fgtyapog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E9F0E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E9F0F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E9F120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E9F176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E9F0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E9F0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E9F0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E9F10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E9F14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E9F136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E9F1A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E9F18C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E9F160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9E9F164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A75C4 7 Bytes JMP B9E9F17A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A83DA 5 Bytes JMP B9E9F190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6114 5 Bytes JMP B9E9F150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C13F8 5 Bytes JMP B9E9F0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C1684 5 Bytes JMP B9E9F0BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8DA6 5 Bytes JMP B9E9F1A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 8061925E 7 Bytes JMP B9E9F13A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8061A70E 7 Bytes JMP B9E9F10E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061ACEC 5 Bytes JMP B9E9F0E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061B188 7 Bytes JMP B9E9F0F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061B358 7 Bytes JMP B9E9F124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061C0CA 5 Bytes JMP B9E9F0D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? C:\DOCUME~1\Gaurang\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[152] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[152] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\system32\svchost.exe[152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001B0011
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0074
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0059
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F7F
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0F9A
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0FBC
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F49
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0091
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0EF8
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F1D
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC0EE7
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0FAB
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F5A
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FCD
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC0F2E
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0FD1
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB008E
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0022
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0069
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB0058
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0047
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0F90
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0FAB
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FC6
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0FD7
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D80014
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\svchost.exe[152] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00D8002F
.text C:\WINDOWS\system32\svchost.exe[152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[652] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[652] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\svchost.exe[652] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90076
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90051
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90F83
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90FAF
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F3F
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90087
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90EF8
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F09
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D900A2
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90F94
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90F5C
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FC0
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D90F2E
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D8002C
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80062
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80011
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80FA5
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FB6
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70FC0
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D7004B
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70029
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D7003A
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D50011
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D5002C
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00D50047
.text C:\WINDOWS\system32\svchost.exe[652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F6D
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F88
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00BF
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0098
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00DA
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F37
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F26
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0087
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F5C
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE006C
.text C:\WINDOWS\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\svchost.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0033
.text C:\WINDOWS\system32\svchost.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0018
.text C:\WINDOWS\system32\svchost.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\svchost.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[732] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001D000A
.text C:\WINDOWS\system32\svchost.exe[732] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001D001B
.text C:\WINDOWS\system32\svchost.exe[732] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001D002C
.text C:\WINDOWS\system32\svchost.exe[732] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 001D0FD1
.text C:\WINDOWS\system32\svchost.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1416] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01020FE5
.text C:\WINDOWS\system32\services.exe[1416] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\services.exe[1416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01020FD4
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01070000
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010700A1
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01070FAC
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01070086
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01070069
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0107003D
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010700C8
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01070F80
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01070105
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010700EA
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01070F51
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0107004E
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01070FE5
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01070F91
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0107002C
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0107001B
.text C:\WINDOWS\system32\services.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010700D9
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01060FB2
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01060054
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01060FC3
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01060FD4
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01060039
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01060FE5
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01060F97
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 89]
.text C:\WINDOWS\system32\services.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0106001E
.text C:\WINDOWS\system32\services.exe[1416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01050FA6
.text C:\WINDOWS\system32\services.exe[1416] msvcrt.dll!system 77C293C7 5 Bytes JMP 01050FC1
.text C:\WINDOWS\system32\services.exe[1416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0105001D
.text C:\WINDOWS\system32\services.exe[1416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\services.exe[1416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01050FD2
.text C:\WINDOWS\system32\services.exe[1416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\services.exe[1416] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\services.exe[1416] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\services.exe[1416] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\services.exe[1416] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 01030FD1
.text C:\WINDOWS\system32\services.exe[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01040FEF
.text C:\WINDOWS\system32\lsass.exe[1428] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\lsass.exe[1428] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DA0FDB
.text C:\WINDOWS\system32\lsass.exe[1428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA0011
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01030F6F
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01030064
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030F8A
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01030F9B
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010300A6
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0103008B
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010300D5
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030F32
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01030F17
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01030047
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01030F54
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030FC0
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\lsass.exe[1428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F43
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020FCA
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01020F8A
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0102001B
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0102003D
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01020FA5
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [22, 89]
.text C:\WINDOWS\system32\lsass.exe[1428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0102002C
.text C:\WINDOWS\system32\lsass.exe[1428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0101004B
.text C:\WINDOWS\system32\lsass.exe[1428] msvcrt.dll!system 77C293C7 5 Bytes JMP 0101003A
.text C:\WINDOWS\system32\lsass.exe[1428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FDE
.text C:\WINDOWS\system32\lsass.exe[1428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\lsass.exe[1428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010029
.text C:\WINDOWS\system32\lsass.exe[1428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01010018
.text C:\WINDOWS\system32\lsass.exe[1428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[1428] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\lsass.exe[1428] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1428] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\lsass.exe[1428] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02610FE5
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0261009D
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02610082
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02610071
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02610FA8
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02610040
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02610F70
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02610F8D
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026100D3
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02610F3A
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02610F1F
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02610FB9
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02610000
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026100AE
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02610025
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02610FCA
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02610F4B
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02600FBC
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02600039
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02600FCD
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02600FDE
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02600028
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02600FEF
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02600F86
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [80, 8A]
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02600FA1
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025F0FB7
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!system 77C293C7 5 Bytes JMP 025F0042
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025F001D
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025F0FE3
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025F0FC8
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025F000C
.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D30014
.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00D30025
.text C:\WINDOWS\system32\svchost.exe[1584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025E0000
.text C:\WINDOWS\system32\svchost.exe[1672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E60FDB
.text C:\WINDOWS\system32\svchost.exe[1672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E60011
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F94
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70089
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F7006E
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70FAF
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F700BF
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F700AE
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F5C
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700F5
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70106
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70051
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F83
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F700D0
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60036
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F6007D
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60025
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F6006C
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F6005B
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FCA
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90F7A
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90F95
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FC1
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FE3
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90FA6
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FD2
.text C:\WINDOWS\system32\svchost.exe[1672] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1672] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\svchost.exe[1672] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1672] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E80000
.text C:\WINDOWS\System32\svchost.exe[1712] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04020000
.text C:\WINDOWS\System32\svchost.exe[1712] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04020FD4
.text C:\WINDOWS\System32\svchost.exe[1712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04020FEF
.text C:\WINDOWS\System32\svchost.exe[1712] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\System32\svchost.exe[1712] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0411000A
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04110FB7
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 041100A2
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04110091
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04110076
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04110FEF
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 041100FD
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 041100E2
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04110F6E
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04110F7F
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04110F49
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04110FD4
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0411001B
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 041100C7
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0411005B
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04110036
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04110F90
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04100FDB
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04100F94
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0410002C
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0410001B
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04100FAF
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0410000A
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 04100051
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04100FC0
.text C:\WINDOWS\System32\svchost.exe[1712] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0379000A
.text C:\WINDOWS\System32\svchost.exe[1712] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E7000A
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 040F0F8D
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!system 77C293C7 5 Bytes JMP 040F0FA8
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 040F0018
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 040F0FEF
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 040F0FB9
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 040F0FDE
.text C:\WINDOWS\System32\svchost.exe[1712] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04040FEF
.text C:\WINDOWS\System32\svchost.exe[1712] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04040014
.text C:\WINDOWS\System32\svchost.exe[1712] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04040025
.text C:\WINDOWS\System32\svchost.exe[1712] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 04040040
.text C:\WINDOWS\System32\svchost.exe[1712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 040E0FE5
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 001D0FD4
.text C:\WINDOWS\system32\svchost.exe[2028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001D000A
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F72
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A70F83
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A70051
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A70F94
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FAF
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A70089
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70F4D
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A700AE
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A70F1F
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A700BF
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A7002C
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70078
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70FC0
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A70011
.text C:\WINDOWS\system32\svchost.exe[2028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A70F30
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A60FB2
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A60043
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A60FC3
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A60028
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A60F86
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C6, 88]
.text C:\WINDOWS\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A60F97
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A5004C
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A50027
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A50FC1
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A50016
.text C:\WINDOWS\system32\svchost.exe[2028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A50FD2
.text C:\WINDOWS\system32\svchost.exe[2028] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[2028] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\svchost.exe[2028] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[2028] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00A30040
.text C:\WINDOWS\system32\svchost.exe[2028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A40000
.text C:\WINDOWS\System32\svchost.exe[3628] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\System32\svchost.exe[3628] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\System32\svchost.exe[3628] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090000
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00310FEF
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00310F35
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00310F50
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00310F61
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00310F7C
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0031001E
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00310F07
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0031004F
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0031008C
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00310071
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003100A7
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00310F97
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00310FD4
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00310F24
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00310FA8
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00310FB9
.text C:\WINDOWS\System32\svchost.exe[3628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00310060
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00400FB9
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0040004A
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00400FD4
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0040000A
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0040002F
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00400FEF
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00400F8D
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [60, 88]
.text C:\WINDOWS\System32\svchost.exe[3628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00400FA8
.text C:\WINDOWS\System32\svchost.exe[3628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00550FA8
.text C:\WINDOWS\System32\svchost.exe[3628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00550033
.text C:\WINDOWS\System32\svchost.exe[3628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00550FCD
.text C:\WINDOWS\System32\svchost.exe[3628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00550FEF
.text C:\WINDOWS\System32\svchost.exe[3628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00550018
.text C:\WINDOWS\System32\svchost.exe[3628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00550FDE
.text C:\WINDOWS\System32\svchost.exe[3628] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\System32\svchost.exe[3628] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\System32\svchost.exe[3628] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\System32\svchost.exe[3628] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 002B0014
.text C:\WINDOWS\System32\svchost.exe[3628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[4028] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02200FEF
.text C:\WINDOWS\Explorer.EXE[4028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02200FCD
.text C:\WINDOWS\Explorer.EXE[4028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02200FDE
.text C:\WINDOWS\Explorer.EXE[4028] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0021000A
.text C:\WINDOWS\Explorer.EXE[4028] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 001F000C
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0235000A
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02350065
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02350F70
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02350F8D
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02350F9E
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02350036
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02350F2E
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02350F3F
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 023500A5
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02350F0C
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02350EE7
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02350FAF
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02350FEF
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02350076
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02350FD4
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02350025
.text C:\WINDOWS\Explorer.EXE[4028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02350F1D
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02340FB9
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02340025
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02340FD4
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02340FE5
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02340F68
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02340000
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02340F83
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [54, 8A]
.text C:\WINDOWS\Explorer.EXE[4028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02340F9E
.text C:\WINDOWS\Explorer.EXE[4028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02330033
.text C:\WINDOWS\Explorer.EXE[4028] msvcrt.dll!system 77C293C7 5 Bytes JMP 02330022
.text C:\WINDOWS\Explorer.EXE[4028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02330FCD
.text C:\WINDOWS\Explorer.EXE[4028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02330FEF
.text C:\WINDOWS\Explorer.EXE[4028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02330FB2
.text C:\WINDOWS\Explorer.EXE[4028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02330FDE
.text C:\WINDOWS\Explorer.EXE[4028] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02310000
.text C:\WINDOWS\Explorer.EXE[4028] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02310FE5
.text C:\WINDOWS\Explorer.EXE[4028] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02310FCA
.text C:\WINDOWS\Explorer.EXE[4028] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 02310FB9
.text C:\WINDOWS\Explorer.EXE[4028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02320000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A83857B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A83857B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A83857B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A83857B

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 12 May 2011 - 02:57 AM

:welcome: to the Malware removal section of the forum

Your computer has caught a Rootkit infection.
We'll begin with this.

Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 Prof.Parry

Prof.Parry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 12 May 2011 - 01:19 PM

Hi Heir,

I have completed the steps requested and I am attaching the logs here; The system has been running faster and without any redirects so far. Thank you for your assistance. Let me know what my next steps should be.



**************TDS KILLER***************************
2011/05/12 12:24:36.0921 3268 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/12 12:24:38.0015 3268 ================================================================================
2011/05/12 12:24:38.0015 3268 SystemInfo:
2011/05/12 12:24:38.0015 3268
2011/05/12 12:24:38.0015 3268 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/12 12:24:38.0015 3268 Product type: Workstation
2011/05/12 12:24:38.0015 3268 ComputerName: EINSTEIN
2011/05/12 12:24:38.0015 3268 UserName: Gaurang
2011/05/12 12:24:38.0015 3268 Windows directory: C:\WINDOWS
2011/05/12 12:24:38.0015 3268 System windows directory: C:\WINDOWS
2011/05/12 12:24:38.0015 3268 Processor architecture: Intel x86
2011/05/12 12:24:38.0015 3268 Number of processors: 1
2011/05/12 12:24:38.0015 3268 Page size: 0x1000
2011/05/12 12:24:38.0015 3268 Boot type: Normal boot
2011/05/12 12:24:38.0015 3268 ================================================================================
2011/05/12 12:24:38.0468 3268 Initialize success
2011/05/12 12:24:40.0890 3620 ================================================================================
2011/05/12 12:24:40.0890 3620 Scan started
2011/05/12 12:24:40.0890 3620 Mode: Manual;
2011/05/12 12:24:40.0890 3620 ================================================================================
2011/05/12 12:24:42.0453 3620 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/12 12:24:42.0515 3620 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/12 12:24:42.0625 3620 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/12 12:24:42.0750 3620 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
2011/05/12 12:24:42.0812 3620 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/05/12 12:24:43.0078 3620 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/05/12 12:24:43.0265 3620 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/05/12 12:24:43.0687 3620 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/12 12:24:44.0062 3620 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/12 12:24:44.0187 3620 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/12 12:24:44.0281 3620 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/12 12:24:44.0328 3620 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/12 12:24:44.0406 3620 bcm4sbxp (6489310d11971f6ba6c7f49be0baf6e0) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/05/12 12:24:44.0531 3620 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/12 12:24:44.0593 3620 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/12 12:24:44.0656 3620 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/12 12:24:44.0734 3620 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/12 12:24:44.0875 3620 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/12 12:24:44.0906 3620 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/12 12:24:44.0984 3620 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/05/12 12:24:45.0078 3620 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
2011/05/12 12:24:45.0265 3620 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/05/12 12:24:45.0343 3620 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/12 12:24:45.0515 3620 CrystalSysInfo (f054744f67576a01139885173392502b) C:\Program Files\MediaCoder\SysInfo.sys
2011/05/12 12:24:45.0703 3620 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/12 12:24:45.0781 3620 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/12 12:24:45.0937 3620 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/12 12:24:45.0984 3620 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/12 12:24:46.0046 3620 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/12 12:24:46.0140 3620 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/12 12:24:46.0343 3620 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/12 12:24:46.0390 3620 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/12 12:24:46.0437 3620 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/12 12:24:46.0468 3620 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/12 12:24:46.0515 3620 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/12 12:24:46.0593 3620 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/12 12:24:46.0640 3620 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/12 12:24:46.0750 3620 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/05/12 12:24:46.0812 3620 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/12 12:24:46.0921 3620 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/12 12:24:47.0125 3620 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2011/05/12 12:24:47.0281 3620 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2011/05/12 12:24:47.0359 3620 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/12 12:24:47.0500 3620 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/12 12:24:47.0843 3620 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/12 12:24:48.0187 3620 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/12 12:24:48.0328 3620 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/12 12:24:48.0390 3620 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/12 12:24:48.0453 3620 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/12 12:24:48.0562 3620 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/12 12:24:48.0625 3620 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/12 12:24:48.0671 3620 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/12 12:24:48.0718 3620 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/12 12:24:48.0781 3620 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/12 12:24:48.0953 3620 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/12 12:24:49.0015 3620 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/12 12:24:49.0078 3620 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/12 12:24:49.0328 3620 LVcKap (fb548ff809634bfa866312b37d8a18ae) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
2011/05/12 12:24:49.0578 3620 LVMVDrv (fe3fb994f8702d9e37648927819b74b8) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
2011/05/12 12:24:49.0750 3620 LVPr2Mon (c7ea51f1ab10b0b2b443f4d5589fc1a5) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/05/12 12:24:49.0859 3620 LVUSBSta (caef4c05ba2c1acad4ebcaa4261cd55d) C:\WINDOWS\system32\drivers\LVUSBSta.sys
2011/05/12 12:24:49.0953 3620 MBAMSwissArmy (d68e165c3123aba3b1282eddb4213bd8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/05/12 12:24:50.0187 3620 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/12 12:24:50.0265 3620 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/05/12 12:24:50.0468 3620 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/05/12 12:24:50.0546 3620 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/05/12 12:24:50.0671 3620 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/05/12 12:24:50.0796 3620 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/05/12 12:24:50.0906 3620 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/05/12 12:24:50.0937 3620 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/05/12 12:24:51.0062 3620 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/05/12 12:24:51.0125 3620 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/05/12 12:24:51.0218 3620 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/12 12:24:51.0328 3620 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/12 12:24:51.0453 3620 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/12 12:24:51.0531 3620 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/12 12:24:51.0625 3620 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/12 12:24:51.0703 3620 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/12 12:24:51.0875 3620 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/12 12:24:51.0921 3620 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/12 12:24:51.0968 3620 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/12 12:24:52.0015 3620 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/12 12:24:52.0062 3620 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/12 12:24:52.0187 3620 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/12 12:24:52.0234 3620 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/12 12:24:52.0265 3620 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/12 12:24:52.0328 3620 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/12 12:24:52.0375 3620 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/12 12:24:52.0500 3620 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/12 12:24:52.0562 3620 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/12 12:24:52.0593 3620 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/12 12:24:52.0656 3620 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/12 12:24:52.0812 3620 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/12 12:24:52.0875 3620 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/12 12:24:53.0125 3620 NETw5x32 (91f027c242d3ff6e5c09f92a0518297f) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/05/12 12:24:53.0421 3620 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/12 12:24:53.0484 3620 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/12 12:24:53.0546 3620 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/12 12:24:53.0718 3620 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/12 12:24:53.0765 3620 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/12 12:24:53.0796 3620 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/12 12:24:53.0859 3620 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/12 12:24:53.0984 3620 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/12 12:24:54.0031 3620 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/12 12:24:54.0093 3620 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/12 12:24:54.0140 3620 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/12 12:24:54.0234 3620 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/12 12:24:54.0296 3620 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/05/12 12:24:54.0703 3620 PID_PEPI (3f96dcd4ac98c8e0d3c03c24fd49a2fe) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
2011/05/12 12:24:54.0875 3620 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/12 12:24:54.0921 3620 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/12 12:24:54.0984 3620 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/12 12:24:55.0125 3620 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/12 12:24:55.0343 3620 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/12 12:24:55.0421 3620 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/12 12:24:55.0468 3620 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/12 12:24:55.0500 3620 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/12 12:24:55.0640 3620 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/12 12:24:55.0703 3620 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/12 12:24:55.0765 3620 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/12 12:24:55.0843 3620 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/12 12:24:55.0984 3620 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/12 12:24:56.0125 3620 s125bus (06847aa6f3a9bf7c44134d00a2e578c0) C:\WINDOWS\system32\DRIVERS\s125bus.sys
2011/05/12 12:24:56.0171 3620 s125mdfl (f83f88e1b125308fb5015ea0349502b0) C:\WINDOWS\system32\DRIVERS\s125mdfl.sys
2011/05/12 12:24:56.0296 3620 s125mdm (402a97756c14940ad6ae5169c2fb105e) C:\WINDOWS\system32\DRIVERS\s125mdm.sys
2011/05/12 12:24:56.0328 3620 s125mgmt (82b14c51de76825ec769a6374e4c57d6) C:\WINDOWS\system32\DRIVERS\s125mgmt.sys
2011/05/12 12:24:56.0375 3620 s125obex (bedfc5707c356fd073bf1a4afe442d91) C:\WINDOWS\system32\DRIVERS\s125obex.sys
2011/05/12 12:24:56.0453 3620 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/05/12 12:24:56.0546 3620 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/12 12:24:56.0625 3620 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/12 12:24:56.0765 3620 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/12 12:24:56.0828 3620 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/12 12:24:56.0906 3620 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/12 12:24:56.0984 3620 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/12 12:24:57.0078 3620 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/12 12:24:57.0265 3620 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/12 12:24:57.0312 3620 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/12 12:24:57.0406 3620 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/12 12:24:57.0578 3620 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/05/12 12:24:57.0734 3620 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/12 12:24:57.0781 3620 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/12 12:24:57.0828 3620 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/12 12:24:58.0093 3620 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/12 12:24:58.0203 3620 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/12 12:24:58.0328 3620 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/12 12:24:58.0375 3620 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/12 12:24:58.0421 3620 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/12 12:24:58.0546 3620 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/12 12:24:58.0625 3620 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/12 12:24:58.0796 3620 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/12 12:24:58.0875 3620 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/12 12:24:58.0937 3620 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/12 12:24:59.0062 3620 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/12 12:24:59.0234 3620 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/12 12:24:59.0281 3620 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/12 12:24:59.0484 3620 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/12 12:24:59.0578 3620 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/12 12:24:59.0671 3620 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/12 12:24:59.0812 3620 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/05/12 12:25:00.0062 3620 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/12 12:25:00.0218 3620 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/12 12:25:00.0328 3620 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/05/12 12:25:00.0593 3620 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/05/12 12:25:00.0750 3620 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/12 12:25:00.0812 3620 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/12 12:25:00.0875 3620 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/12 12:25:00.0968 3620 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/12 12:25:00.0968 3620 ================================================================================
2011/05/12 12:25:00.0968 3620 Scan finished
2011/05/12 12:25:00.0968 3620 ================================================================================
2011/05/12 12:25:01.0000 3180 Detected object count: 1
2011/05/12 12:25:24.0328 3180 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/12 12:25:24.0328 3180 \HardDisk0 - ok
2011/05/12 12:25:24.0328 3180 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/12 12:25:32.0531 2928 Deinitialize success

*************END TDSKILLER*************************************************************

*************START COMBOFIX***********************************************************
ComboFix 11-05-11.04 - Gaurang 05/12/2011 12:54:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1604 [GMT -5:00]
Running from: c:\documents and settings\Gaurang\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gaurang\Application Data\Adobe\plugs
c:\documents and settings\Gaurang\Application Data\Adobe\shed
c:\documents and settings\Gaurang\Application Data\Local
c:\documents and settings\Gaurang\Application Data\Local\Temp\DDM\Settings\(2).ddr
c:\documents and settings\Gaurang\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\Gaurang\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\documents and settings\Gaurang\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(3)
c:\documents and settings\Gaurang\Application Data\Sun\mxd1.txt
c:\documents and settings\Gaurang\Local Settings\Application Data\{5F69E67D-616A-445E-AFB1-98884C57BC8F}
c:\documents and settings\Gaurang\Local Settings\Application Data\{5F69E67D-616A-445E-AFB1-98884C57BC8F}\chrome.manifest
c:\documents and settings\Gaurang\Local Settings\Application Data\{5F69E67D-616A-445E-AFB1-98884C57BC8F}\chrome\content\overlay.xul
c:\documents and settings\Gaurang\Local Settings\Application Data\{5F69E67D-616A-445E-AFB1-98884C57BC8F}\install.rdf
c:\documents and settings\Gaurang\Local Settings\Application Data\{F32BF6CF-F84B-4A23-A469-74E074547C0D}
c:\documents and settings\Gaurang\Local Settings\Application Data\{F32BF6CF-F84B-4A23-A469-74E074547C0D}\chrome.manifest
c:\documents and settings\Gaurang\Local Settings\Application Data\{F32BF6CF-F84B-4A23-A469-74E074547C0D}\chrome\content\_cfg.js
c:\documents and settings\Gaurang\Local Settings\Application Data\{F32BF6CF-F84B-4A23-A469-74E074547C0D}\chrome\content\overlay.xul
c:\documents and settings\Gaurang\Local Settings\Application Data\{F32BF6CF-F84B-4A23-A469-74E074547C0D}\install.rdf
c:\documents and settings\Gaurang\Local Settings\Application Data\uwe.exe
c:\documents and settings\Gaurang\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_CDFSS
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
.
.
2011-05-09 02:19 . 2011-05-09 02:19 -------- d-----w- c:\documents and settings\Gaurang\Application Data\SUPERAntiSpyware.com
2011-05-09 02:19 . 2011-05-09 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-09 02:18 . 2011-05-09 02:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-05 05:24 . 2011-05-05 05:24 -------- d-----w- c:\documents and settings\Gaurang\DoctorWeb
2011-05-04 15:47 . 2011-05-04 15:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-05-04 15:47 . 2011-05-04 15:47 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-04 15:44 . 2011-05-04 15:47 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-04-30 03:39 . 2011-04-30 03:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-04-25 19:46 . 2011-04-25 19:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-24 21:16 . 2011-05-03 04:38 -------- d-----w- c:\documents and settings\Gaurang\Application Data\vlc
2011-04-14 08:39 . 2011-04-14 08:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 02:38 . 2009-04-19 00:43 90112 ----a-w- c:\windows\DUMP4a38.tmp
2011-05-05 03:57 . 2010-02-28 07:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-26 20:39 . 2011-03-26 20:39 536 ----a-w- c:\windows\system32\wbrifkpc.rif
2010-10-14 03:28 . 2010-04-21 02:28 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Documents and Settings\\Gaurang\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Gaurang\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/20/2010 9:28 PM 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/19/2009 4:02 PM 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 9:27 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 9:27 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/20/2010 9:28 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/20/2010 9:28 PM 141792]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/19/2010 11:57 PM 30152]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/20/2010 9:28 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/20/2010 9:28 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/20/2010 9:28 PM 88544]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2010 10:29 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2010 10:29 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/26/2011 11:58 PM 38224]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/20/2010 9:28 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/20/2010 9:28 PM 84264]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 03:29]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 03:29]
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1500820517-1801674531-1004Core.job
- c:\documents and settings\Gaurang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 06:41]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1500820517-1801674531-1004UA.job
- c:\documents and settings\Gaurang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 06:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Gaurang\Application Data\Mozilla\Firefox\Profiles\yo1cv3hz.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Download Accelerator Plus (DAP) extension: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\program files\DAP\DAPFireFox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
HKU-Default-Run-SvrWsc - (no file)
Notify-itlntfy - itlnfw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-12 13:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1376)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(4692)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-12 13:11:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-12 18:11
.
Pre-Run: 3,643,990,016 bytes free
Post-Run: 3,851,210,752 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
.
- - End Of File - - 0888C585A802ED3B42B764DCB4F37681

**********************************END COMBOFIX***********************************************

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 12 May 2011 - 04:48 PM

Let's verify that the Rootkit is gone.


Step 0.
Filescan:

Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

    c:\windows\system32\wbrifkpc.rif
  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Please repeat for the following file:

c:\windows\DUMP4a38.tmp

Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.
MBAM:

Please download Malwarebytes' Anti-Malware from Here

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4.
Things I would like to see in your reply:

  • The links to the results from the filescans in step 0.
  • The content of the log from TDSSKiller in step 1.
  • The content of C:\ComboFix.txt in step 2.
  • The content of the log from MBAM in step 3.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 16 May 2011 - 08:34 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users