Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer 8 - script error


  • Please log in to reply
14 replies to this topic

#1 jamesther7

jamesther7

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 09 November 2011 - 11:21 AM

Hi - first post

Every time I try to access the Internet (via IE8 and Google Chrome) I get the standard script error message window:
'Internet Explorer has encountered a problem and needs to close...'

I've removed some malware using Malwarebytes that had got itself onto my computer despite having McAfee installed and running.

I did have a toolbar install itself (Dealio I think) last thing last night before I closed it down. I have removed that from the computer.

I also get an odd message and can't access 'Internet Options' from the Control Panel: something like Cannot run DLL as an App - it doesn't even respond at the moment

My wife is asking me to call the installation company to come and take a look, but I thought I'd ask you first. How do I solve a script error caused, I think by a toolbar adding itself on, when I an't even get onto Internet Options?

Thanks

Jamesther7

Edited by hamluis, 09 November 2011 - 12:44 PM.
Moved from Web Browsing/Email to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:53 PM

Posted 09 November 2011 - 03:48 PM

Welcome aboard Posted ImageWelcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 jamesther7

jamesther7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 09 November 2011 - 04:44 PM

Here is the Minitoolbox report:



MiniToolBox by Farbar
Ran by Ian (administrator) on 09-11-2011 at 21:36:04
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/09/2011 08:49:52 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module iexplore.exe, version 8.0.6001.18702, fault address 0x00001a28.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/09/2011 07:48:18 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module iexplore.exe, version 8.0.6001.18702, fault address 0x00001a28.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/09/2011 07:48:13 PM) (Source: Application Error) (User: )
Description: Faulting application chrome.exe, version 15.0.874.106, faulting module chrome.exe, version 15.0.874.106, fault address 0x00057f7c.
Processing media-specific event for [chrome.exe!ws!]

Error: (11/09/2011 07:47:47 PM) (Source: Application Error) (User: )
Description: Fault bucket -1627434171.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (11/09/2011 07:45:42 PM) (Source: Application Error) (User: )
Description: Faulting application chrome.exe, version 15.0.874.106, faulting module chrome.exe, version 15.0.874.106, fault address 0x00057f7c.
Processing media-specific event for [chrome.exe!ws!]

Error: (11/09/2011 07:38:54 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module iexplore.exe, version 8.0.6001.18702, fault address 0x00001a28.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/09/2011 07:18:23 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module iexplore.exe, version 8.0.6001.18702, fault address 0x00001a28.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/09/2011 07:17:26 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module iexplore.exe, version 8.0.6001.18702, fault address 0x00001a28.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/09/2011 06:15:14 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module iexplore.exe, version 8.0.6001.18702, fault address 0x00001a28.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/09/2011 06:11:45 PM) (Source: Application Error) (User: )
Description: Faulting application rundll32.exe, version 5.1.2600.5512, faulting module rundll32.exe, version 5.1.2600.5512, fault address 0x00001bdd.
Processing media-specific event for [rundll32.exe!ws!]


System errors:
=============
Error: (11/09/2011 08:51:26 PM) (Source: Service Control Manager) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2

Error: (11/09/2011 08:51:26 PM) (Source: Service Control Manager) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2

Error: (11/09/2011 08:50:12 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (11/09/2011 07:48:30 PM) (Source: DCOM) (User: Ian)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (11/09/2011 07:40:44 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/09/2011 07:40:44 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/09/2011 07:40:44 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/09/2011 07:40:44 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/09/2011 07:40:44 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/09/2011 07:40:44 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}


Microsoft Office Sessions:
=========================
Error: (10/19/2011 07:35:57 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 8, Application Name: Microsoft Office Publisher, Application Version: 12.0.6546.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4359 seconds with 2880 seconds of active time. This session ended with a crash.

Error: (10/06/2011 05:40:46 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10595 seconds with 720 seconds of active time. This session ended with a crash.

Error: (06/11/2011 08:31:45 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 28 seconds with 0 seconds of active time. This session ended with a crash.

Error: (06/11/2011 08:31:12 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 209 seconds with 120 seconds of active time. This session ended with a crash.

Error: (06/11/2011 08:27:37 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2775 seconds with 1680 seconds of active time. This session ended with a crash.

Error: (01/13/2011 05:24:11 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 19525 seconds with 10500 seconds of active time. This session ended with a crash.

Error: (11/23/2010 05:52:58 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 7408 seconds with 60 seconds of active time. This session ended with a crash.

Error: (10/10/2010 10:45:06 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (10/10/2010 10:44:56 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1455 seconds with 420 seconds of active time. This session ended with a crash.

Error: (10/07/2010 08:04:44 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 27 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

Acrobat.com (Version: 1.7.186)
Adobe AIR (Version: 1.5.3.9130)
Adobe Flash Player 10 ActiveX (Version: 10.2.153.1)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Reader 9.4.6 (Version: 9.4.6)
Adobe Shockwave Player 11.5 (Version: 11.5.2.602)
Apple Application Support (Version: 1.1.0)
Apple Mobile Device Support (Version: 2.6.0.32)
Apple Software Update (Version: 2.1.1.116)
Arcventure Egyptians
Arcventure Romans
Arcventure Vikings
Audacity 1.3.12 (Unicode)
BAMZOOKi SR v1.2 (build 379.1)
BBC iPlayer Desktop (Version: 3.2.6)
BT Broadband Desktop Help
BT NetProtect Plus (Version: 10.5.247)
BT Yahoo! Applications
BTHomeHub
Disney's Tigger Too
ffdshow [rev 2527] [2008-12-19] (Version: 1.0)
FLAC 1.2.1b (remove only) (Version: 1.2.1b)
Free FLV Converter V 7.2.0 (Version: 7.1.0.0)
FUJIFILM MyFinePix Studio 2.0
Google Chrome (Version: 15.0.874.106)
Google Earth (Version: 6.0.3.2197)
Google Update Helper (Version: 1.3.21.79)
GoToAssist Corporate (Version: 9.0.570)
Haali Media Splitter
History Explorer
HP Deskjet 1050 J410 series Basic Device Software (Version: 20.0.771.0)
HP Deskjet 1050 J410 series Help (Version: 140.0.56.56)
HP Deskjet 1050 J410 series Product Improvement Study (Version: 20.0.771.0)
hp deskjet 3820 series (Remove only)
HP Update (Version: 5.002.003.003)
Human Body Explorer
Intel® Graphics Media Accelerator Driver
iTunes (Version: 9.0.2.25)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 21 (Version: 6.0.210)
LAME v3.98.2 for Audacity
LEGO Chess
LEGO Creator
LEGO Creator Knights' Kingdom
LEGO Island
LEGO Universe
LEGOŽ Pirates of the Caribbean The Video Game DEMO (Version: 1.0.0.0)
Little Robots - Making Friends (Version: 1.0.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB925673) (Version: 6.00.3888.0)
Nero 7 Essentials (Version: 7.03.0934)
neroxml (Version: 1.0.0)
Noddy - Let's Get Ready for School
NVIDIA PhysX (Version: 9.09.0814)
Olympus Digital Wave Player
QuickTime (Version: 7.65.17.80)
RAF (Version: 1.00.0001)
Rainbow fish and the Whale
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.17.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5898)
Scholastic's I SPY Fantasy
Scholastic's I SPY Spooky Mansion Deluxe
Scholastic's I SPY Treasure Hunt
SearchCore for Browsers (Version: 3.0.0.115676)
Spotify (Version: 0.3.22)
The Map Detectives Rural Mystery
Trojan Killer 2.0
Unity Web Player (All users) (Version: )
Vivitar Experience Image Manager
VoiceOver Kit (Version: 1.20.128.0)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Searchqu Toolbar (Version: 3.0.0.115676)
WinRAR archiver
WinZip 12.1 (Version: 12.1.8519)
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 21%
Total physical RAM: 2013.04 MB
Available physical RAM: 1589.32 MB
Total Pagefile: 3905.88 MB
Available Pagefile: 3374.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.66 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:245.93 GB) NTFS
2 Drive d: (GRTMHOEM_EN) (CDROM) (Total:0.55 GB) (Free:0 GB) CDFS
6 Drive h: (KINGSTON) (Removable) (Total:0.94 GB) (Free:0.03 GB) FAT

========================= Users: ========================================

User accounts for \\CUSTOMER-A728C3

Administrator ASPNET Guest
HelpAssistant Ian SUPPORT_388945a0


**** End of log ****

I'll do the security check next - but I have already done a MBAM scan and got rid of the 3 viruses it found (and I did it in safe mode as well - nothing else found)
I also scanned the computer with McAfee and it found and removed 2 viruses that MBAM hadn't

Should I continue with using GMER?

Very grateful for your help - very much appreciated

#4 jamesther7

jamesther7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 09 November 2011 - 04:50 PM

As I expected - security check showed nothing:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 21
Out of date Java installed!
Adobe Flash Player ( 10.0.32.18) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:53 PM

Posted 09 November 2011 - 04:57 PM

Yes, I need fresh MBAM log as well as GMER log.

Also in MIniToolbox you forgot to checkmark "List IP configuration", so I'll need that info as well.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 jamesther7

jamesther7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 10 November 2011 - 03:38 AM

GMER results:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-10 06:36:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12 SAMSUNG_HD322HJ rev.1AG01118
Running: GMER.exe; Driver: C:\DOCUME~1\Ian\LOCALS~1\Temp\kwdirkow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9ED0D70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9ED0D84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9ED0DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9ED0E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9ED0D5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9ED0D34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9ED0D48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9ED0D9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9ED0DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9ED0DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9ED0E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9ED0E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9ED0DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9ED0DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9ED0E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9ED0E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9ED0DE0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9ED0D38 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9ED0D4C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9ED0E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9ED0DCA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9ED0D9E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9ED0D74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9ED0D88 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9ED0DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9ED0D60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
INITc VolSnap.sys BA0F3BD0 4 Bytes [B0, A5, 53, 80]
INITc VolSnap.sys BA0F3BF8 4 Bytes [B8, A1, 4F, 80]
INITc VolSnap.sys BA0F3C20 4 Bytes [B6, AE, 4F, 80]
INITc VolSnap.sys BA0F3C48 4 Bytes [30, FF, 4F, 80]
INITc VolSnap.sys BA0F3C70 4 Bytes [7A, A8, 4F, 80]
INITc ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[392] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1172] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1172] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[1172] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F48
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040047
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F6D
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F94
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040FA5
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040F10
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040062
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0004008E
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040EF5
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040EE4
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F37
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040073
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B0FCA
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0F79
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B001B
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B0FE5
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B0F8A
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 3 Bytes JMP 006B0036
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B0FAF
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCF7 1 Byte [88]
.text C:\WINDOWS\system32\services.exe[1172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0007006E
.text C:\WINDOWS\system32\services.exe[1172] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FE3
.text C:\WINDOWS\system32\services.exe[1172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070038
.text C:\WINDOWS\system32\services.exe[1172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070049
.text C:\WINDOWS\system32\services.exe[1172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0007001D
.text C:\WINDOWS\system32\services.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1184] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[1184] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\lsass.exe[1184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F52
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00047
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00F6D
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00F8A
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00FAF
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F37
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00089
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00EFA
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00F0B
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00EDF
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D00036
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00062
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\lsass.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D00F26
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0FC0
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0F72
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0F83
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0F9E
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0FAF
.text C:\WINDOWS\system32\lsass.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D3005F
.text C:\WINDOWS\system32\lsass.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30044
.text C:\WINDOWS\system32\lsass.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30022
.text C:\WINDOWS\system32\lsass.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\lsass.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30033
.text C:\WINDOWS\system32\lsass.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30011
.text C:\WINDOWS\system32\lsass.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 025B0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 025B0000
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 025B0FCA
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025A0FE5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025A0082
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025A0071
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025A004A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025A0F97
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025A0FA8
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025A00CB
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025A00BA
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025A0F57
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025A0F72
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025A0101
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025A002F
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025A0FCA
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025A009D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025A0FB9
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025A00E6
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C0001E
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F97
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00054
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C00039
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00FB2
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0029
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF000C
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F6F
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C7006E
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70F94
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70F48
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70090
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F08
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F2D
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C70EF7
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C7007F
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C700A1
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60022
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B6007A
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60FDB
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B6005F
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B6004E
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60033
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50F93
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50FA4
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50FC6
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50FB5
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B50FE3
.text C:\WINDOWS\system32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B40000
.text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02460FE5
.text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0246000A
.text C:\WINDOWS\System32\svchost.exe[1572] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02460FD4
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02450000
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0245009A
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02450089
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02450FAF
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0245006C
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02450040
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024500D0
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024500B5
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024500F2
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024500E1
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02450F3E
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0245005B
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02450FEF
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02450F8A
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02450FD4
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02450025
.text C:\WINDOWS\System32\svchost.exe[1572] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02450F63
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024E0014
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024E0F8D
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024E0FCD
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024E0FDE
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024E004A
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024E0FEF
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 024E0F9E
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6E, 8A]
.text C:\WINDOWS\System32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024E0025
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 024D0FB2
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!system 77C293C7 5 Bytes JMP 024D0FC3
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 024D0FDE
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 024D000C
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 024D0033
.text C:\WINDOWS\System32\svchost.exe[1572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 024D0FEF
.text C:\WINDOWS\System32\svchost.exe[1572] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02480000
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0247000A
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02470FEF
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02470FDE
.text C:\WINDOWS\System32\svchost.exe[1572] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02470FB9
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0091006C
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0091005B
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00910F77
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910F9E
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00910036
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910F66
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009100AE
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009100EE
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00910F55
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00910113
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00910FAF
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00910087
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910025
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009100D3
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950FAF
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00950F65
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00950FCA
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00950FE5
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950022
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00950F80
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B5, 88] {MOV CH, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00950011
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00940F7A
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00940F8B
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00940FC1
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00940FA6
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00940FD2
.text C:\WINDOWS\system32\svchost.exe[1684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AE0FC3
.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AE0FDE
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0F8A
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD0089
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD006E
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD0051
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD0FCA
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD00B7
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD009A
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD0F39
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD00C8
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AD00E3
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AD0FB9
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AD001B
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AD0F6F
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AD002C
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AD0F54
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B10040
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B10FA8
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B10025
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B10FB9
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D1, 88]
.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B10051
.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B0003B
.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B0002A
.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B00FC1
.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B00FB0
.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A1009D
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A1006C
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A1005B
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F55
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F72
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F33
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100CC
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A100E7
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10F83
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F44
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FAF
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00040
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00F83
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0F89
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0F9A
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FAB
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FE3
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FC6
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A30FE5
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00A30FC0
.text C:\WINDOWS\system32\svchost.exe[1952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[2116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\svchost.exe[2116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 010D0025
.text C:\WINDOWS\system32\svchost.exe[2116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 010D000A
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF007D
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F88
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F49
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F66
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F13
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00B6
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00D1
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F77
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F2E
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FB6
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE003D
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F8A
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0F9B
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0110003D
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!system 77C293C7 5 Bytes JMP 01100FB2
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01100FDE
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01100000
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01100FCD
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01100FEF
.text C:\WINDOWS\system32\svchost.exe[2116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010F0FE5
.text C:\WINDOWS\system32\svchost.exe[2116] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\svchost.exe[2116] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 010E0FEF
.text C:\WINDOWS\system32\svchost.exe[2116] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 010E0FDE
.text C:\WINDOWS\system32\svchost.exe[2116] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 010E0FCD
.text C:\WINDOWS\explorer.exe[3732] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\explorer.exe[3732] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090040
.text C:\WINDOWS\explorer.exe[3732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009001B
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0070
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F7B
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B005F
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA2
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B004E
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F45
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0081
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00CA
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00B9
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00DB
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FC7
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0011
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F60
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B003D
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B002C
.text C:\WINDOWS\explorer.exe[3732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B009E
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F57
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A001E
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0F7C
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\explorer.exe[3732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0F97
.text C:\WINDOWS\explorer.exe[3732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F97
.text C:\WINDOWS\explorer.exe[3732] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\explorer.exe[3732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0018
.text C:\WINDOWS\explorer.exe[3732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\explorer.exe[3732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\explorer.exe[3732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\explorer.exe[3732] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0000
.text C:\WINDOWS\explorer.exe[3732] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0011
.text C:\WINDOWS\explorer.exe[3732] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0FD1
.text C:\WINDOWS\explorer.exe[3732] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002D0022
.text C:\WINDOWS\explorer.exe[3732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C20FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[168] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0040A4B0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[168] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0040A510] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [636026CE] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015B4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [63601F71] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601EA6] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63601F47] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [6360158D] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [636026CE] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [63601F71] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63601F47] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601EA6] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [6360158D] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015B4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:136] 8AFA8E7A
Thread System [4:140] 8AFAB008

---- EOF - GMER 1.0.15 ----

MiniToolBox IP Configuration:

MiniToolBox by Farbar
Ran by Ian (administrator) on 09-11-2011 at 23:17:57
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************
========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : customer-a728c3

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : home



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-23-54-DD-2A-F9

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.64

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : 09 November 2011 11:15:53 PM

Lease Expires . . . . . . . . . . : 10 November 2011 11:15:53 PM

Server: api.home
Address: 192.168.1.254

DNS request timed out.
timeout was 2 seconds.


Pinging google.com [209.85.229.105] with 32 bytes of data:



Reply from 209.85.229.105: bytes=32 time=43ms TTL=49

Reply from 209.85.229.105: bytes=32 time=44ms TTL=49



Ping statistics for 209.85.229.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 43ms, Maximum = 44ms, Average = 43ms

Server: api.home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.139.180.149, 209.191.122.70, 67.195.160.76, 72.30.2.43
98.137.149.56



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=126ms TTL=48

Reply from 67.195.160.76: bytes=32 time=127ms TTL=48



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 126ms, Maximum = 127ms, Average = 126ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 23 54 dd 2a f9 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.64 192.168.1.64 20
192.168.1.64 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.64 192.168.1.64 20
224.0.0.0 240.0.0.0 192.168.1.64 192.168.1.64 20
255.255.255.255 255.255.255.255 192.168.1.64 192.168.1.64 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

**** End of log ****

MBAM initial scan as soon as problem was detected:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8122

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

09/11/2011 12:17:22 PM
mbam-log-2011-11-09 (12-17-22).txt

Scan type: Quick scan
Objects scanned: 205383
Time elapsed: 24 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{F9A48911-5C43-D79A-8070-84D936DABB51} (Trojan.ZbotR.Gen) -> Value: {F9A48911-5C43-D79A-8070-84D936DABB51} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2680972979 (Trojan.FakeAlert) -> Value: 2680972979 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Ian\local settings\Temp\is-8MJLB.tmp\dealio.exe (PUP.Dealio.TB) -> Not selected for removal.
c:\documents and settings\Ian\local settings\Temp\is-MVM1N.tmp\dealio.exe (PUP.Dealio.TB) -> Not selected for removal.
c:\documents and settings\Ian\local settings\Temp\is-UK1PC.tmp\dealio.exe (PUP.Dealio.TB) -> Not selected for removal.

I did subsequently remove these dealio.exe files

Thanks

Ian

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:53 PM

Posted 10 November 2011 - 11:03 AM

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 jamesther7

jamesther7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 10 November 2011 - 03:20 PM

Sadly - it says that application isn't compatible with Win32

Is there a compatible edition available?

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:53 PM

Posted 10 November 2011 - 03:22 PM

That's the infection playing games with you.

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 jamesther7

jamesther7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 10 November 2011 - 04:01 PM

Dear Broni

I downloaded the TDSSKiller as a .zip and then ran my system in safe mode.

TDSSkiller then found the rootkit and identified it as: Rootkit.Win32.TDSS.tdl3

It was down as Service:VolSnap

and in the file: C:\Windows\system32\drivers\volsnap.sys

I clicked Cure and it claimed to be rid of it - but I notice that the file is still there - is is part of he operating system or a rogue file I should get rid of?

It required a reboot, but I can access internet options now, but I thought I'd better ask before attempting to open IE

and the log from TDSSKiller report said:

20:42:53.0390 1112 TDSS rootkit removing tool 2.6.17.0 Nov 9 2011 16:48:26
20:42:53.0453 1112 ============================================================
20:42:53.0453 1112 Current date / time: 2011/11/10 20:42:53.0453
20:42:53.0453 1112 SystemInfo:
20:42:53.0453 1112
20:42:53.0453 1112 OS Version: 5.1.2600 ServicePack: 3.0
20:42:53.0453 1112 Product type: Workstation
20:42:53.0453 1112 ComputerName: CUSTOMER-A728C3
20:42:53.0453 1112 UserName: Ian
20:42:53.0453 1112 Windows directory: C:\WINDOWS
20:42:53.0453 1112 System windows directory: C:\WINDOWS
20:42:53.0453 1112 Processor architecture: Intel x86
20:42:53.0453 1112 Number of processors: 2
20:42:53.0453 1112 Page size: 0x1000
20:42:53.0453 1112 Boot type: Safe boot
20:42:53.0453 1112 ============================================================
20:42:55.0968 1112 Initialize success
20:42:57.0906 1128 ============================================================
20:42:57.0906 1128 Scan started
20:42:57.0906 1128 Mode: Manual;
20:42:57.0906 1128 ============================================================
20:42:59.0281 1128 Abiosdsk - ok
20:42:59.0468 1128 abp480n5 - ok
20:42:59.0703 1128 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:42:59.0750 1128 ACPI - ok
20:42:59.0921 1128 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:42:59.0921 1128 ACPIEC - ok
20:43:00.0078 1128 adpu160m - ok
20:43:00.0312 1128 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:43:00.0359 1128 aec - ok
20:43:00.0578 1128 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
20:43:00.0625 1128 AFD - ok
20:43:00.0781 1128 Aha154x - ok
20:43:00.0953 1128 aic78u2 - ok
20:43:01.0125 1128 aic78xx - ok
20:43:01.0312 1128 AliIde - ok
20:43:01.0937 1128 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
20:43:02.0390 1128 Ambfilt - ok
20:43:02.0546 1128 amsint - ok
20:43:02.0781 1128 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:43:02.0796 1128 Arp1394 - ok
20:43:02.0953 1128 asc - ok
20:43:03.0125 1128 asc3350p - ok
20:43:03.0296 1128 asc3550 - ok
20:43:03.0531 1128 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:43:03.0546 1128 AsyncMac - ok
20:43:03.0734 1128 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:43:03.0734 1128 atapi - ok
20:43:03.0890 1128 Atdisk - ok
20:43:04.0093 1128 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:43:04.0109 1128 Atmarpc - ok
20:43:04.0312 1128 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:43:04.0312 1128 audstub - ok
20:43:04.0515 1128 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:43:04.0515 1128 Beep - ok
20:43:04.0734 1128 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:43:04.0734 1128 cbidf2k - ok
20:43:04.0890 1128 cd20xrnt - ok
20:43:05.0078 1128 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:43:05.0078 1128 Cdaudio - ok
20:43:05.0265 1128 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:43:05.0281 1128 Cdfs - ok
20:43:05.0484 1128 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:43:05.0515 1128 Cdrom - ok
20:43:05.0718 1128 cfwids (7fd604cd7a7a0ff8975af61bdf64c577) C:\WINDOWS\system32\drivers\cfwids.sys
20:43:05.0734 1128 cfwids - ok
20:43:05.0890 1128 Changer - ok
20:43:06.0093 1128 CmdIde - ok
20:43:06.0296 1128 Cpqarray - ok
20:43:06.0468 1128 dac2w2k - ok
20:43:06.0640 1128 dac960nt - ok
20:43:06.0843 1128 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:43:06.0859 1128 Disk - ok
20:43:07.0250 1128 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:43:07.0468 1128 dmboot - ok
20:43:07.0671 1128 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:43:07.0718 1128 dmio - ok
20:43:07.0890 1128 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:43:07.0890 1128 dmload - ok
20:43:08.0109 1128 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:43:08.0125 1128 DMusic - ok
20:43:08.0296 1128 dpti2o - ok
20:43:08.0468 1128 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:43:08.0468 1128 drmkaud - ok
20:43:08.0875 1128 efipsk (13e6157d3c29914c9f548e80acc86ea2) C:\DOCUME~1\Ian\LOCALS~1\Temp\efipsk.sys
20:43:09.0062 1128 efipsk - ok
20:43:09.0343 1128 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:43:09.0390 1128 Fastfat - ok
20:43:09.0593 1128 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:43:09.0593 1128 Fdc - ok
20:43:09.0796 1128 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:43:09.0796 1128 Fips - ok
20:43:09.0984 1128 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:43:09.0984 1128 Flpydisk - ok
20:43:10.0234 1128 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:43:10.0265 1128 FltMgr - ok
20:43:10.0453 1128 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:43:10.0453 1128 Fs_Rec - ok
20:43:10.0656 1128 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:43:10.0687 1128 Ftdisk - ok
20:43:10.0890 1128 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
20:43:10.0890 1128 GEARAspiWDM - ok
20:43:11.0062 1128 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:43:11.0078 1128 Gpc - ok
20:43:11.0328 1128 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:43:11.0328 1128 HDAudBus - ok
20:43:11.0546 1128 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:43:11.0546 1128 hidusb - ok
20:43:11.0718 1128 hpn - ok
20:43:11.0984 1128 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:43:12.0062 1128 HTTP - ok
20:43:12.0234 1128 i2omgmt - ok
20:43:12.0390 1128 i2omp - ok
20:43:12.0578 1128 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:43:12.0593 1128 i8042prt - ok
20:43:14.0468 1128 ialm (4889622b81a6bcc34bb4b972bc7d9f14) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:43:16.0812 1128 ialm - ok
20:43:17.0156 1128 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:43:17.0171 1128 Imapi - ok
20:43:17.0437 1128 ini910u - ok
20:43:19.0203 1128 IntcAzAudAddService (3a3a539d7db808fad3b55740474a6d02) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:43:20.0750 1128 IntcAzAudAddService - ok
20:43:20.0953 1128 IntcHdmiAddService (f32a62c765885bd8e4352a1565f702a6) C:\WINDOWS\system32\drivers\IntcHdmi.sys
20:43:20.0984 1128 IntcHdmiAddService - ok
20:43:21.0140 1128 IntelIde - ok
20:43:21.0343 1128 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:43:21.0359 1128 intelppm - ok
20:43:21.0546 1128 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:43:21.0562 1128 Ip6Fw - ok
20:43:21.0718 1128 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:43:21.0734 1128 IpInIp - ok
20:43:21.0953 1128 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:43:21.0984 1128 IpNat - ok
20:43:22.0203 1128 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:43:22.0218 1128 IPSec - ok
20:43:22.0390 1128 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:43:22.0406 1128 IRENUM - ok
20:43:22.0593 1128 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:43:22.0593 1128 isapnp - ok
20:43:22.0812 1128 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:43:22.0828 1128 Kbdclass - ok
20:43:23.0000 1128 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:43:23.0015 1128 kbdhid - ok
20:43:23.0234 1128 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:43:23.0281 1128 kmixer - ok
20:43:23.0484 1128 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:43:23.0515 1128 KSecDD - ok
20:43:23.0703 1128 lbrtfdc - ok
20:43:23.0906 1128 MBAMProtector - ok
20:43:24.0250 1128 mfeapfk (688b626fca708ee9eb161cad1f7363a9) C:\WINDOWS\system32\drivers\mfeapfk.sys
20:43:24.0281 1128 mfeapfk - ok
20:43:24.0515 1128 mfeavfk (dbf6e1b388d5c070d438c61adb990c30) C:\WINDOWS\system32\drivers\mfeavfk.sys
20:43:24.0562 1128 mfeavfk - ok
20:43:24.0765 1128 mfebopk (a528b15e330edb83ea649be318d841d5) C:\WINDOWS\system32\drivers\mfebopk.sys
20:43:24.0781 1128 mfebopk - ok
20:43:25.0046 1128 mfefirek (c7da1b8003c89acedaa13768f7a1c622) C:\WINDOWS\system32\drivers\mfefirek.sys
20:43:25.0140 1128 mfefirek - ok
20:43:25.0421 1128 mfehidk (44184f32392fa2e94d08d056ce750d56) C:\WINDOWS\system32\drivers\mfehidk.sys
20:43:25.0546 1128 mfehidk - ok
20:43:25.0765 1128 mfendisk (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
20:43:25.0796 1128 mfendisk - ok
20:43:25.0828 1128 mfendiskmp (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
20:43:25.0828 1128 mfendiskmp - ok
20:43:26.0015 1128 mferkdet (ce1711f7c3f72f6762abd241dcfd5ee1) C:\WINDOWS\system32\drivers\mferkdet.sys
20:43:26.0046 1128 mferkdet - ok
20:43:26.0234 1128 mfetdi2k (25e12c68b49a64ffc873603dfd578236) C:\WINDOWS\system32\drivers\mfetdi2k.sys
20:43:26.0265 1128 mfetdi2k - ok
20:43:26.0468 1128 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:43:26.0484 1128 mnmdd - ok
20:43:26.0671 1128 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:43:26.0671 1128 Modem - ok
20:43:27.0250 1128 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
20:43:27.0609 1128 Monfilt - ok
20:43:27.0812 1128 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:43:27.0828 1128 Mouclass - ok
20:43:28.0000 1128 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:43:28.0000 1128 mouhid - ok
20:43:28.0203 1128 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:43:28.0203 1128 MountMgr - ok
20:43:28.0375 1128 mraid35x - ok
20:43:28.0578 1128 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
20:43:28.0687 1128 MREMP50 - ok
20:43:28.0781 1128 MREMPR5 - ok
20:43:28.0890 1128 MRENDIS5 (5734ea3fb1a4db012a76b33810273d8e) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
20:43:28.0906 1128 MRENDIS5 - ok
20:43:29.0000 1128 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
20:43:29.0015 1128 MRESP50 - ok
20:43:29.0296 1128 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:43:29.0406 1128 MRxDAV - ok
20:43:29.0781 1128 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:43:29.0953 1128 MRxSmb - ok
20:43:30.0156 1128 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:43:30.0156 1128 Msfs - ok
20:43:30.0359 1128 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:43:30.0359 1128 MSKSSRV - ok
20:43:30.0531 1128 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:43:30.0531 1128 MSPCLOCK - ok
20:43:30.0703 1128 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:43:30.0718 1128 MSPQM - ok
20:43:30.0906 1128 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:43:30.0906 1128 mssmbios - ok
20:43:31.0078 1128 MTsensor (dcdaab8697a47894a554050ce18d0b56) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
20:43:31.0078 1128 MTsensor - ok
20:43:31.0312 1128 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:43:31.0343 1128 Mup - ok
20:43:31.0593 1128 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:43:31.0640 1128 NDIS - ok
20:43:31.0812 1128 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:43:31.0812 1128 NdisTapi - ok
20:43:32.0000 1128 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:43:32.0000 1128 Ndisuio - ok
20:43:32.0187 1128 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:43:32.0218 1128 NdisWan - ok
20:43:32.0406 1128 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:43:32.0421 1128 NDProxy - ok
20:43:32.0593 1128 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:43:32.0593 1128 NetBIOS - ok
20:43:32.0812 1128 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:43:32.0859 1128 NetBT - ok
20:43:33.0093 1128 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:43:33.0109 1128 NIC1394 - ok
20:43:33.0296 1128 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:43:33.0312 1128 Npfs - ok
20:43:33.0625 1128 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:43:33.0781 1128 Ntfs - ok
20:43:33.0984 1128 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:43:33.0984 1128 Null - ok
20:43:34.0171 1128 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:43:34.0171 1128 NwlnkFlt - ok
20:43:34.0343 1128 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:43:34.0359 1128 NwlnkFwd - ok
20:43:34.0562 1128 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:43:34.0578 1128 ohci1394 - ok
20:43:34.0812 1128 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:43:34.0828 1128 Parport - ok
20:43:35.0000 1128 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:43:35.0000 1128 PartMgr - ok
20:43:35.0187 1128 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:43:35.0187 1128 ParVdm - ok
20:43:35.0375 1128 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:43:35.0406 1128 PCI - ok
20:43:35.0562 1128 PCIDump - ok
20:43:35.0734 1128 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:43:35.0734 1128 PCIIde - ok
20:43:35.0937 1128 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:43:35.0984 1128 Pcmcia - ok
20:43:36.0140 1128 PDCOMP - ok
20:43:36.0312 1128 PDFRAME - ok
20:43:36.0468 1128 PDRELI - ok
20:43:36.0640 1128 PDRFRAME - ok
20:43:36.0812 1128 perc2 - ok
20:43:36.0984 1128 perc2hib - ok
20:43:37.0234 1128 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:43:37.0250 1128 PptpMiniport - ok
20:43:37.0437 1128 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:43:37.0453 1128 PSched - ok
20:43:37.0640 1128 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:43:37.0640 1128 Ptilink - ok
20:43:37.0796 1128 ql1080 - ok
20:43:37.0968 1128 Ql10wnt - ok
20:43:38.0140 1128 ql12160 - ok
20:43:38.0312 1128 ql1240 - ok
20:43:38.0468 1128 ql1280 - ok
20:43:38.0656 1128 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:43:38.0656 1128 RasAcd - ok
20:43:38.0843 1128 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:43:38.0859 1128 Rasl2tp - ok
20:43:39.0046 1128 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:43:39.0062 1128 RasPppoe - ok
20:43:39.0234 1128 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:43:39.0234 1128 Raspti - ok
20:43:39.0468 1128 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:43:39.0515 1128 Rdbss - ok
20:43:39.0671 1128 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:43:39.0671 1128 RDPCDD - ok
20:43:39.0937 1128 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
20:43:39.0968 1128 RDPWD - ok
20:43:40.0156 1128 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:43:40.0171 1128 redbook - ok
20:43:40.0421 1128 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
20:43:40.0453 1128 RTLE8023xp - ok
20:43:40.0671 1128 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:43:40.0671 1128 Secdrv - ok
20:43:40.0875 1128 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:43:40.0875 1128 serenum - ok
20:43:41.0062 1128 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:43:41.0078 1128 Serial - ok
20:43:41.0281 1128 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
20:43:41.0296 1128 Sfloppy - ok
20:43:41.0468 1128 Simbad - ok
20:43:41.0656 1128 Sparrow - ok
20:43:41.0843 1128 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:43:41.0843 1128 splitter - ok
20:43:42.0046 1128 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:43:42.0078 1128 sr - ok
20:43:42.0359 1128 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:43:42.0453 1128 Srv - ok
20:43:42.0640 1128 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:43:42.0640 1128 swenum - ok
20:43:42.0828 1128 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:43:42.0843 1128 swmidi - ok
20:43:43.0015 1128 symc810 - ok
20:43:43.0187 1128 symc8xx - ok
20:43:43.0359 1128 sym_hi - ok
20:43:43.0515 1128 sym_u3 - ok
20:43:43.0718 1128 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:43:43.0734 1128 sysaudio - ok
20:43:44.0015 1128 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:43:44.0109 1128 Tcpip - ok
20:43:44.0265 1128 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:43:44.0281 1128 TDPIPE - ok
20:43:44.0453 1128 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:43:44.0453 1128 TDTCP - ok
20:43:44.0656 1128 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:43:44.0656 1128 TermDD - ok
20:43:44.0843 1128 TosIde - ok
20:43:45.0062 1128 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:43:45.0078 1128 Udfs - ok
20:43:45.0250 1128 ultra - ok
20:43:45.0531 1128 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:43:45.0625 1128 Update - ok
20:43:45.0859 1128 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:43:45.0875 1128 USBAAPL - ok
20:43:46.0078 1128 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:43:46.0078 1128 usbccgp - ok
20:43:46.0265 1128 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:43:46.0265 1128 usbehci - ok
20:43:46.0453 1128 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:43:46.0468 1128 usbhub - ok
20:43:46.0656 1128 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:43:46.0656 1128 usbprint - ok
20:43:46.0843 1128 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:43:46.0843 1128 usbscan - ok
20:43:47.0031 1128 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:43:47.0031 1128 USBSTOR - ok
20:43:47.0203 1128 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:43:47.0218 1128 usbuhci - ok
20:43:47.0406 1128 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
20:43:47.0406 1128 USB_RNDIS - ok
20:43:47.0593 1128 utiymzq1 (524d8d450622db4a7875b111c299a76b) C:\WINDOWS\system32\Drivers\utiymzq1.sys
20:43:47.0609 1128 utiymzq1 - ok
20:43:47.0796 1128 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:43:47.0812 1128 VgaSave - ok
20:43:47.0968 1128 ViaIde - ok
20:43:48.0203 1128 VNUSB (ae01e1ed5a81e0d268b91b4a6de5a872) C:\WINDOWS\system32\DRIVERS\VNUSB.sys
20:43:48.0203 1128 VNUSB - ok
20:43:48.0406 1128 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
20:43:48.0421 1128 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
20:43:48.0421 1128 VolSnap ( Rootkit.Win32.TDSS.tdl3 ) - infected
20:43:48.0421 1128 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
20:43:48.0640 1128 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:43:48.0656 1128 Wanarp - ok
20:43:48.0812 1128 WDICA - ok
20:43:49.0015 1128 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:43:49.0031 1128 wdmaud - ok
20:43:49.0328 1128 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:43:49.0328 1128 WS2IFSL - ok
20:43:49.0437 1128 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:43:49.0609 1128 \Device\Harddisk0\DR0 - ok
20:43:49.0625 1128 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk4\DR8
20:43:49.0625 1128 \Device\Harddisk4\DR8 - ok
20:43:49.0640 1128 Boot (0x1200) (fefdc87279abe2a25c28965bdd27fac7) \Device\Harddisk0\DR0\Partition0
20:43:49.0640 1128 \Device\Harddisk0\DR0\Partition0 - ok
20:43:49.0656 1128 Boot (0x1200) (2e8cd2543f2bb1556b95997d13fa393f) \Device\Harddisk4\DR8\Partition0
20:43:49.0656 1128 \Device\Harddisk4\DR8\Partition0 - ok
20:43:49.0671 1128 ============================================================
20:43:49.0671 1128 Scan finished
20:43:49.0671 1128 ============================================================
20:43:49.0718 1120 Detected object count: 1
20:43:49.0718 1120 Actual detected object count: 1
20:48:23.0984 1120 Backup copy found, using it..
20:48:24.0031 1120 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured on reboot
20:48:24.0031 1120 VolSnap ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
20:48:28.0593 1108 Deinitialize success

Should I try to open IE or Google Chrome or should I do some more checks first

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:53 PM

Posted 10 November 2011 - 04:16 PM

VolSnap.sys is a legit file (very important file!) but apparently it was rootkited.
TDSSKiller attempted to replace it with a healthy file.

Re-run the tool one more time.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 jamesther7

jamesther7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 10 November 2011 - 04:31 PM

Dear Broni,

TDSSKiller hasn't found anything this time (and I opened it in normal mode, not safe) - I've run MBAM and McAfee scans as well - they found nothing either.

Should I try IE?

If it's all working now, how do I protect my desktop against Rootkits? McAfee has failed me several times - and I never had these issues when I had Kapersky

Ian

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:53 PM

Posted 10 November 2011 - 04:32 PM

Go ahead, try your browsers and let me know.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 jamesther7

jamesther7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 10 November 2011 - 04:48 PM

Dear Broni

Oh yes!

Well done sir - you led me through that with great patience and care

I will recommend Bleeping Computer.com across the whole of my institution and beyond.

Marvellous - many, many thanks

Dr Ian Cawood

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:53 PM

Posted 10 November 2011 - 04:49 PM

Good news :)

Let's run couple more checks....

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users