Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware similar to System Fix


  • This topic is locked This topic is locked
24 replies to this topic

#1 magus73

magus73

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 02 December 2011 - 06:15 PM

Hello and thanks for any help you can provide. My system was infected with malware which began with a warning saying "Windows has detected a hardware problem. A potential disk failure may cause loss of files..." It was asking me to "Scan" or "Cancel". This was accompanied by a cascade of about 20 windows, all with System 32 "Delayed Write" errors. My desktop was blacked out, files were hidden, start menu short cuts disappeared and other symptoms of System Fix (I never clicked the buttons so I never saw where it wanted to take me to be able to identify it accurately). I went through the guide on this site and was able to use rkill at first, tdsskiller would not run, MBAM found some things and removed them, then tdsskiller WOULD run and found something and removed it, but when I rebooted it all came back. Then rkill would NOT run, MBAM would not run, and SAS would not update. Somehow I got MBAM and SAS to work and they removed some things and all was quiet. Then today I attached a drive that happened to have the rkill file on it (the same drive I uploaded it to the infected computer from originally) and McAfee all of a sudden alerted about a trojan (and removed it, though this whole problem started with McAfee letting it through in the first place!!) This same thing happens now anytime I try to run rkill or even try to attach a drive with the rkill file on it - it won't run and IT DELETES THE RKILL FILE!! Any drive I try to attach with rkill on it, the trojan pops up and deletes the file. This is brand new behavior. Not sure if this is related but all of a sudden my Outlook PST file is showing errors. I hope that's enough info for someone to help me get rid of this once and for all. Again, thank you for any help.

Windows XP 32 bit SP3

Edited by magus73, 02 December 2011 - 06:17 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:25 PM

Posted 03 December 2011 - 01:37 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.


Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.

animinionsmalltext.gif

 


#3 magus73

magus73
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 03 December 2011 - 03:38 PM

Thank you.

1. Ran Defogger but it did not ask me to reboot.
2. Ran DDS. (posted and attached)
3. Ran GMER. (posted and attached.)


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by at 9:16:12 on 2011-12-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2472 [GMT -6:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-17&installtype=force&dtag=5brbp41&langid=1&systempopup=true
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111108182040.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\logitech webcam software\eReg.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxp://www.moviegroup.tv/activex/DownloadMgr.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
TCP: Interfaces\{105A25F9-020E-41CA-968E-97C1F949817E} : DhcpNameServer = 97.64.183.164 97.64.209.37
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\system32\srrst
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\\application data\mozilla\firefox\profiles\0wt82vwp.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\documents and settings\\application data\mozilla\firefox\profiles\0wt82vwp.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-18 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 464176]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005-11-26 4064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-22 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-7-15 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-15 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-15 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-15 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-15 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-15 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-15 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-15 150856]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-3-31 80896]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-15 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-15 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-15 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-15 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 83856]
S3 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-6-14 17408]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2005-11-21 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2005-11-21 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2005-11-21 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2005-11-21 10368]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-8-3 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-15 15232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-22 87656]
S3 Newpogr;Newpogr; [x]
S3 NOVATIONXSTATION;USB ASIO driver for Novation X-Station;c:\windows\system32\drivers\XStnUSB.sys [2007-1-4 325504]
S3 NVNR25AUSB;Novation XStation USB MIDI WDM Driver;c:\windows\system32\drivers\XStation.sys [2007-1-4 38858]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [2011-11-11 41944]
S3 RDID1058;EDIROL UM-3;c:\windows\system32\drivers\Rdwm1058.sys [2006-9-17 67778]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-8-2 2074464]
S3 XSTAUDIO;X-Station Audio;c:\windows\system32\drivers\XStAudio.sys [2007-1-4 23392]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-9 2152152]
S4 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
.
=============== Created Last 30 ================
.
2011-11-30 03:29:41 -------- d-----w- c:\documents and settings\\application data\Malwarebytes
2011-11-30 03:29:32 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-30 03:29:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 03:29:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-29 23:54:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-29 23:29:04 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-11-29 23:29:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-29 23:29:04 0 ----a-w- c:\windows\system32\REN43.tmp
2011-11-29 23:29:04 0 ----a-w- c:\windows\system32\REN42.tmp
2011-11-29 23:29:04 0 ----a-w- c:\windows\system32\REN41.tmp
2011-11-29 17:38:42 -------- d-----w- c:\documents and settings\\application data\SUPERAntiSpyware.com
2011-11-29 17:38:42 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-11-16 21:09:09 34068 ----a-w- c:\windows\system32\Repository.reg
2011-11-16 21:09:09 265496 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-11-16 21:09:09 13976 ----a-w- c:\windows\system32\drivers\lv302af.sys
2011-11-11 15:38:18 -------- d-----w- c:\program files\MIDIOX
2011-11-11 15:33:08 20312 ----a-w- c:\windows\system32\nvnusbaudio_coinst.dll
2011-11-11 15:33:07 41944 ----a-w- c:\windows\system32\drivers\nvnusbaudio.sys
2011-11-11 15:33:07 -------- d-----w- c:\program files\Novation
.
==================== Find3M ====================
.
2011-11-26 15:27:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-15 19:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 19:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 19:16:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 19:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-21 17:30:08 1880 ----a-w- c:\windows\AUTOLNCH.REG
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 9:17:49.26 ===============




GMER:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-03 14:19:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.3.16
Running: gmer.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\uflyrfog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF745F4D6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF745F502]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF745F558]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF745F4AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF745F484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF745F498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF745F4EC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF745F52E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF745F582]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF745F56E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF745F542]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB90C5360, 0x24526E, 0xE8000020]
? C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690000
.text C:\WINDOWS\System32\svchost.exe[456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00690FDE
.text C:\WINDOWS\System32\svchost.exe[456] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0F4A
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0F6F
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D0049
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D002C
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D0081
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D0F39
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D00A3
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D0F0A
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D00B4
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0F94
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D0064
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D0FB9
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D0092
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FB9
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F83
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C004A
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0F9E
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\System32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0025
.text C:\WINDOWS\System32\svchost.exe[456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B005C
.text C:\WINDOWS\System32\svchost.exe[456] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B004B
.text C:\WINDOWS\System32\svchost.exe[456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0029
.text C:\WINDOWS\System32\svchost.exe[456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B003A
.text C:\WINDOWS\System32\svchost.exe[456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0018
.text C:\WINDOWS\System32\svchost.exe[456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A0000
.text C:\WINDOWS\System32\svchost.exe[532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00690025
.text C:\WINDOWS\System32\svchost.exe[532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0069000A
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0F9E
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0FAF
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D007D
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D006C
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D0FCA
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D0F72
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D00C4
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D0104
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D0F61
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D0F50
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0051
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D0F8D
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D002C
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D0FDB
.text C:\WINDOWS\System32\svchost.exe[532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D00DF
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0039
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0054
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0014
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0F97
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0FB2
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\System32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\System32\svchost.exe[532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B001D
.text C:\WINDOWS\System32\svchost.exe[532] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B000C
.text C:\WINDOWS\System32\svchost.exe[532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FC1
.text C:\WINDOWS\System32\svchost.exe[532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0F9C
.text C:\WINDOWS\System32\svchost.exe[532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\System32\svchost.exe[532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A000A
.text C:\WINDOWS\explorer.exe[656] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\explorer.exe[656] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009001B
.text C:\WINDOWS\explorer.exe[656] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F97
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B008C
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0040
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F7C
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00B8
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0104
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00E9
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0115
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0051
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00A7
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0025
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\explorer.exe[656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F61
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 003B002C
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 003B0F80
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 003B0011
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 003B0000
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 003B0F9B
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 003B0FEF
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 003B0FC0
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5B, 88]
.text C:\WINDOWS\explorer.exe[656] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 003B003D
.text C:\WINDOWS\explorer.exe[656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003C0027
.text C:\WINDOWS\explorer.exe[656] msvcrt.dll!system 77C293C7 5 Bytes JMP 003C0F9C
.text C:\WINDOWS\explorer.exe[656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003C0FD2
.text C:\WINDOWS\explorer.exe[656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003C0FEF
.text C:\WINDOWS\explorer.exe[656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003C0FB7
.text C:\WINDOWS\explorer.exe[656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003C0000
.text C:\WINDOWS\explorer.exe[656] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\explorer.exe[656] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 003E0FD4
.text C:\WINDOWS\explorer.exe[656] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 003E0FAF
.text C:\WINDOWS\explorer.exe[656] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 003E0000
.text C:\WINDOWS\explorer.exe[656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0011
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F66
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0065
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F81
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD002C
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD009B
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F55
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00C7
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00AC
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00E2
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD001B
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0076
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F38
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0040
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC006C
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC001B
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FCA
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0051
.text C:\WINDOWS\System32\svchost.exe[660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FC8
.text C:\WINDOWS\System32\svchost.exe[660] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0053
.text C:\WINDOWS\System32\svchost.exe[660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0038
.text C:\WINDOWS\System32\svchost.exe[660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FD9
.text C:\WINDOWS\System32\svchost.exe[660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F90025
.text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0076
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F81
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD002F
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00A4
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F5C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00B5
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F1C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F01
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0040
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0087
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F37
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0025
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0062
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FC0051
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0036
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB003A
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0029
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB000C
.text C:\WINDOWS\system32\services.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0106007B
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01060F86
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060054
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01060F97
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060FB9
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010600C2
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010600B1
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01060F4E
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01060F5F
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01060102
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060FA8
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0106001B
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010600A0
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060FD4
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01060FE5
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010600D3
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0FC0
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0F94
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FD1
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0051
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DB0FAF
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FB, 88]
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB002C
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0F95
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0FA6
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FD2
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FC1
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\lsass.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0090
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0F9B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB007F
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0058
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F48
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F65
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0F1C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB00B5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB00DA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0F76
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0025
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0F2D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA003D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA00A2
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA002C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA001B
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA007D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA0062
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0FDB
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F9002E
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F9001D
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FC1
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FE3
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F9000C
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90FD2
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1396] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1396] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[1396] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0085
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F86
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F97
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F64
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00AC
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00E2
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00C7
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F24
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F75
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB004A
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F49
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90055
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B9003A
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90029
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B9000C
.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02C3000A
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02C30036
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02C3001B
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E60FEF
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E6005B
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E60F70
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E60F8D
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E60F9E
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E60040
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E60093
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E60F41
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E60F0B
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E600AE
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02E60EF0
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02E60FB9
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E60014
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02E6006C
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02E6002F
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02E60FDE
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02E60F30
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02E5001B
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02E50073
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02E50FD4
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02E50FEF
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02E50062
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02E50000
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02E50047
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02E50036
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02E40044
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 02E40FB9
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02E40FE5
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02E40000
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02E40FD4
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02E4001D
.text C:\WINDOWS\System32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02E3000A
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 02E20FEF
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 02E20FD4
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 02E2000A
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 02E20FB9
.text C:\WINDOWS\System32\svchost.exe[1492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740FEF
.text C:\WINDOWS\System32\svchost.exe[1492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0074001B
.text C:\WINDOWS\System32\svchost.exe[1492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0074000A
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780F68
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0078005D
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780F79
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780F8A
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0078002C
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780089
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F41
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007800D0
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007800BF
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007800E1
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780FA5
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FDB
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780078
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FC0
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780011
.text C:\WINDOWS\System32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007800A4
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770040
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0077008E
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FEF
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077001B
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770073
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770000
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00770062
.text C:\WINDOWS\System32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770051
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760F99
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760FB4
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0076001D
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FE3
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0076002E
.text C:\WINDOWS\System32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750FEF
.text C:\WINDOWS\System32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\System32\svchost.exe[1592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009D0FC3
.text C:\WINDOWS\System32\svchost.exe[1592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D0FD4
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F44
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F55
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F7C
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A1002F
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FB2
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F1F
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10065
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10EE9
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10082
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10ED8
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10F97
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10054
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FDE
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F04
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FAF
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F72
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00025
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00000
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A00F83
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 88]
.text C:\WINDOWS\System32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00F94
.text C:\WINDOWS\System32\svchost.exe[1592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0FA4
.text C:\WINDOWS\System32\svchost.exe[1592] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0025
.text C:\WINDOWS\System32\svchost.exe[1592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0FC6
.text C:\WINDOWS\System32\svchost.exe[1592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0000
.text C:\WINDOWS\System32\svchost.exe[1592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0FB5
.text C:\WINDOWS\System32\svchost.exe[1592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F0FD7
.text C:\WINDOWS\System32\svchost.exe[1592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0000
.text C:\WINDOWS\System32\svchost.exe[1964] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1964] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[1964] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900014
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE007A
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F7B
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE005F
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE004E
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0033
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F4D
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0095
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F0D
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00B0
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00C1
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FAC
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F6A
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0022
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0011
.text C:\WINDOWS\System32\svchost.exe[1964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F32
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0054
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0039
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD001E
.text C:\WINDOWS\System32\svchost.exe[1964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0F97
.text C:\WINDOWS\System32\svchost.exe[1964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930047
.text C:\WINDOWS\System32\svchost.exe[1964] msvcrt.dll!system 77C293C7 5 Bytes JMP 0093002C
.text C:\WINDOWS\System32\svchost.exe[1964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FBC
.text C:\WINDOWS\System32\svchost.exe[1964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930FE3
.text C:\WINDOWS\System32\svchost.exe[1964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930011
.text C:\WINDOWS\System32\svchost.exe[1964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[1964] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[1964] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1964] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00910FD4
.text C:\WINDOWS\System32\svchost.exe[1964] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00910025
.text C:\WINDOWS\System32\svchost.exe[1964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920FEF
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1988] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106AC350 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1988] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106AC2E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1988] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E363 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1988] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045E91C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\system32\wuauclt.exe[3680] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\wuauclt.exe[3680] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\system32\wuauclt.exe[3680] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0065
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F70
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F97
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0054
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FB2
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F27
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F38
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0EF1
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C008A
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0ECC
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0039
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F55
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C001E
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FCD
.text C:\WINDOWS\system32\wuauclt.exe[3680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F16
.text C:\WINDOWS\system32\wuauclt.exe[3680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FB7
.text C:\WINDOWS\system32\wuauclt.exe[3680] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0042
.text C:\WINDOWS\system32\wuauclt.exe[3680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0016
.text C:\WINDOWS\system32\wuauclt.exe[3680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0027
.text C:\WINDOWS\system32\wuauclt.exe[3680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FC7
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F91
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0022
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0011
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0FA2
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C004E
.text C:\WINDOWS\system32\wuauclt.exe[3680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C003D
.text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01222EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by magus73, 03 December 2011 - 03:39 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:25 PM

Posted 04 December 2011 - 12:17 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 magus73

magus73
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 04 December 2011 - 01:50 AM

Thank you for your help. I ran ComboFix and it asked me to download the Recovery Console. It did and began to run and got through a fair number of stages. Then I got the blue screen: "A problem has been detected and windows has been shut down to prevent damage... Plug and Play error caused by a faulty driver... Stop: oxooooooCA (oxooooooo4, oxoooooooo, oxoooooooo) I did a hard reboot and everything came back up. No logs were produced.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:25 PM

Posted 04 December 2011 - 02:08 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 magus73

magus73
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 04 December 2011 - 11:06 AM

Thank you. I ran ComboFix in Safe Mode, it ran successfully and rebooted (into Safe Mode) and produced a log.

ComboFix 11-12-04.01 - 12/04/2011 9:04.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2755 [GMT -6:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\\WINDOWS
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
.
.
2011-11-30 03:29 . 2011-11-30 14:24 -------- d-----w- c:\documents and settings\\Application Data\Malwarebytes
2011-11-30 03:29 . 2011-11-30 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-30 03:29 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 03:29 . 2011-11-30 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-30 02:15 . 2011-11-30 02:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-11-30 02:13 . 2011-11-30 02:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-11-30 02:03 . 2011-11-30 02:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-11-29 23:54 . 2011-11-29 23:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-29 23:29 . 2011-11-29 23:29 -------- d-----w- c:\program files\Common Files\Java
2011-11-29 23:29 . 2011-11-29 23:29 0 ----a-w- c:\windows\system32\REN43.tmp
2011-11-29 23:29 . 2011-11-29 23:29 0 ----a-w- c:\windows\system32\REN42.tmp
2011-11-29 23:29 . 2011-11-29 23:29 0 ----a-w- c:\windows\system32\REN41.tmp
2011-11-29 23:29 . 2011-10-03 11:06 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-11-29 23:29 . 2011-10-03 11:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-29 23:28 . 2011-11-29 23:29 -------- d-----w- c:\program files\Java
2011-11-29 17:38 . 2011-11-29 17:38 -------- d-----w- c:\documents and settings\\Application Data\SUPERAntiSpyware.com
2011-11-29 17:38 . 2011-11-29 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-11-16 21:09 . 2009-04-30 23:01 265496 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-11-16 21:09 . 2009-04-30 22:55 13976 ----a-w- c:\windows\system32\drivers\lv302af.sys
2011-11-16 21:09 . 2009-04-30 22:39 34068 ----a-w- c:\windows\system32\Repository.reg
2011-11-16 21:07 . 2011-11-16 21:07 -------- d-----w- c:\program files\Logitech
2011-11-11 15:38 . 2011-11-11 15:44 -------- d-----w- c:\program files\MIDIOX
2011-11-11 15:33 . 2011-10-05 18:46 20312 ----a-w- c:\windows\system32\nvnusbaudio_coinst.dll
2011-11-11 15:33 . 2011-11-11 16:02 -------- d-----w- c:\program files\Novation
2011-11-11 15:33 . 2011-10-05 18:46 41944 ----a-w- c:\windows\system32\drivers\nvnusbaudio.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-26 15:27 . 2011-06-06 23:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-15 19:16 . 2010-07-15 14:05 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-07-15 14:05 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-07-15 14:05 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2010-07-15 14:05 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-07-15 14:05 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-06-01 01:32 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-06-01 01:32 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2010-04-23 02:22 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 19:16 . 2010-04-23 02:22 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 19:16 . 2010-04-23 02:22 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-10 14:22 . 2005-11-21 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2005-11-21 16:32 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2003-07-16 20:40 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2003-07-16 20:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-21 17:30 . 2005-11-21 23:36 1880 ----a-w- c:\windows\AUTOLNCH.REG
2011-09-06 13:20 . 2005-11-21 16:31 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 22:48 . 2011-06-06 23:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-07-15 14:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-08-12 86016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-06-12 200704]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]
"VX6000"="c:\windows\vVX6000.exe" [2009-07-24 764256]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"nwiz"="nwiz.exe" [2006-08-12 1519616]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-04-26 593920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-15 110592]
Dropbox.lnk - c:\documents and settings\\Application Data\Dropbox\bin\Dropbox.exe [2011-8-22 24182896]
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=c:\documents and settings\\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=c:\windows\pss\WinMySQLadmin.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
/L:ENG [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2011-08-15 13:49 1191216 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 07:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 22:45 28672 ----a-w- c:\windows\system32\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 15:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-08-11 20:56 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-06-12 09:13 200704 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
2000-12-05 19:02 86016 ----a-w- c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPPPTA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 17:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-02-05 23:52 849280 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2009-07-24 20:05 118640 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 19:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-12 00:25 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-12 03:43 7630848 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-12 03:43 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-08-12 16:33 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-22 17:20 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IntuitUpdateService"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"bgsvcgen"=2 (0x2)
"MOBKbackup"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\BitZip\\bitzip.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Documents and Settings\\\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/18/2009 9:12 AM 64288]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
S1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [11/26/2005 8:54 AM 4064]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/22/2010 8:22 PM 89792]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [7/15/2010 8:07 AM 54776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/15/2010 8:05 AM 214904]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/15/2010 8:05 AM 214904]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/15/2010 8:05 AM 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/15/2010 8:06 AM 160608]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/15/2010 8:05 AM 150856]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [3/31/2011 3:08 PM 80896]
S3 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [6/14/2008 11:02 AM 17408]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/21/2005 2:02 PM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/21/2005 2:02 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [11/21/2005 2:02 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [11/21/2005 2:02 PM 10368]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/15/2010 8:05 AM 57600]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [8/3/2011 9:32 AM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 5:01 PM 21248]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/15/2011 8:04 AM 15232]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/15/2010 8:05 AM 338176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 8:22 PM 83856]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 8:22 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/22/2010 8:22 PM 87656]
S3 Newpogr;Newpogr; [x]
S3 NOVATIONXSTATION;USB ASIO driver for Novation X-Station;c:\windows\system32\drivers\XStnUSB.sys [1/4/2007 9:19 PM 325504]
S3 NVNR25AUSB;Novation XStation USB MIDI WDM Driver;c:\windows\system32\drivers\XStation.sys [1/4/2007 9:19 PM 38858]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [11/11/2011 9:33 AM 41944]
S3 RDID1058;EDIROL UM-3;c:\windows\system32\drivers\Rdwm1058.sys [9/17/2006 11:16 AM 67778]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [8/2/2009 10:33 PM 2074464]
S3 XSTAUDIO;X-Station Audio;c:\windows\system32\drivers\XStAudio.sys [1/4/2007 9:19 PM 23392]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2011 1:47 AM 2152152]
S4 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 7:11 PM 229688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-09 07:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-17&installtype=force&dtag=5brbp41&langid=1&systempopup=true
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
FF - ProfilePath - c:\documents and settings\\Application Data\Mozilla\Firefox\Profiles\0wt82vwp.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-Intuit SyncManager - c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
MSConfigStartUp-iRiver Updater - c:\program files\iRiver\iRiver Manager\Updater\Updater.exe
MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-04 09:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-329068152-1275210071-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-329068152-1275210071-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b8,13,ce,5a,fb,cc,60,ca,5a,ab,55,a8,97,59,5f,36,42,be,11,08,0f,74,92,
5f,24,3b,2a,dd,48,d3,53,b0,dd,33,de,f9,66,e4,06,ae,d1,ed,5a,af,d4,72,aa,b0,\
"??"=hex:4b,25,46,08,c0,4d,77,b4,3d,92,b5,18,fd,d2,b1,2c
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(224)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
c:\windows\system32\ac3acm.acm
c:\windows\system32\lameACM.acm
c:\windows\system32\IEFRAME.dll
.
- - - - - - - > 'explorer.exe'(344)
c:\windows\system32\WININET.dll
c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2011-12-04 09:36:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-04 15:36
.
Pre-Run: 7,144,558,592 bytes free
Post-Run: 7,758,569,472 bytes free
.
- - End Of File - - C46CBE932CFF8908CE5E1EFF38F7C5E0

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:25 PM

Posted 04 December 2011 - 12:31 PM

Hello

How are things running?

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 magus73

magus73
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 04 December 2011 - 12:50 PM

Thank you so much for your help. The system has been running normally even before I started talking to you, I just noticed activity when I opened a folder containing rkill. McAffee pounced on some trojan and the rkill files were deleted. Other than that all seems normal.

Ran TDSSKILLER with no threats found and no call to reboot.

11:44:57.0625 0232 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
11:44:57.0812 0232 ============================================================
11:44:57.0812 0232 Current date / time: 2011/12/04 11:44:57.0812
11:44:57.0812 0232 SystemInfo:
11:44:57.0812 0232
11:44:57.0812 0232 OS Version: 5.1.2600 ServicePack: 3.0
11:44:57.0812 0232 Product type: Workstation
11:44:57.0812 0232 ComputerName:
11:44:57.0812 0232 UserName:
11:44:57.0812 0232 Windows directory: C:\WINDOWS
11:44:57.0812 0232 System windows directory: C:\WINDOWS
11:44:57.0812 0232 Processor architecture: Intel x86
11:44:57.0812 0232 Number of processors: 1
11:44:57.0812 0232 Page size: 0x1000
11:44:57.0812 0232 Boot type: Normal boot
11:44:57.0812 0232 ============================================================
11:45:00.0468 0232 Initialize success
11:45:10.0406 2376 ============================================================
11:45:10.0406 2376 Scan started
11:45:10.0406 2376 Mode: Manual;
11:45:10.0406 2376 ============================================================
11:45:11.0390 2376 Abiosdsk - ok
11:45:11.0656 2376 abp480n5 - ok
11:45:12.0031 2376 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:45:12.0031 2376 ACPI - ok
11:45:12.0421 2376 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:45:12.0421 2376 ACPIEC - ok
11:45:12.0734 2376 adpu160m - ok
11:45:13.0000 2376 aeaudio - ok
11:45:13.0375 2376 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:45:13.0375 2376 aec - ok
11:45:13.0765 2376 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:45:13.0765 2376 AFD - ok
11:45:14.0187 2376 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:45:14.0187 2376 agp440 - ok
11:45:14.0546 2376 Aha154x - ok
11:45:14.0843 2376 aic78u2 - ok
11:45:15.0125 2376 aic78xx - ok
11:45:15.0468 2376 AliIde - ok
11:45:15.0734 2376 amsint - ok
11:45:16.0078 2376 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:45:16.0078 2376 Arp1394 - ok
11:45:16.0421 2376 asc - ok
11:45:16.0734 2376 asc3350p - ok
11:45:17.0015 2376 asc3550 - ok
11:45:17.0406 2376 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:45:17.0406 2376 AsyncMac - ok
11:45:17.0859 2376 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:45:17.0859 2376 atapi - ok
11:45:18.0171 2376 Atdisk - ok
11:45:18.0531 2376 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:45:18.0531 2376 Atmarpc - ok
11:45:18.0875 2376 ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys
11:45:18.0875 2376 ATMhelpr - ok
11:45:19.0265 2376 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:45:19.0265 2376 audstub - ok
11:45:19.0640 2376 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:45:19.0640 2376 Beep - ok
11:45:19.0968 2376 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys
11:45:19.0968 2376 brfilt - ok
11:45:20.0343 2376 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys
11:45:20.0343 2376 BrSerWDM - ok
11:45:20.0671 2376 BrUsbMdm (37e2d0b12ddf536cd64af6eb3b580ef8) C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
11:45:20.0671 2376 BrUsbMdm - ok
11:45:21.0000 2376 BrUsbScn (1c5f014048e5b2748c1a8ad297c50b6f) C:\WINDOWS\system32\Drivers\BrUsbScn.sys
11:45:21.0000 2376 BrUsbScn - ok
11:45:21.0015 2376 catchme - ok
11:45:21.0390 2376 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:45:21.0390 2376 cbidf2k - ok
11:45:21.0734 2376 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:45:21.0734 2376 CCDECODE - ok
11:45:22.0046 2376 cd20xrnt - ok
11:45:22.0421 2376 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:45:22.0421 2376 Cdaudio - ok
11:45:22.0765 2376 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:45:22.0765 2376 Cdfs - ok
11:45:23.0140 2376 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:45:23.0140 2376 Cdrom - ok
11:45:23.0546 2376 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS\system32\drivers\cfwids.sys
11:45:23.0546 2376 cfwids - ok
11:45:23.0859 2376 Changer - ok
11:45:24.0203 2376 CmdIde - ok
11:45:24.0531 2376 Cpqarray - ok
11:45:24.0984 2376 ctac32k (fb06bb39860340c6fa84867f0288d1dd) C:\WINDOWS\system32\drivers\ctac32k.sys
11:45:24.0984 2376 ctac32k - ok
11:45:25.0515 2376 ctaud2k (b810fa12cf726b200e057834eaebb1ac) C:\WINDOWS\system32\drivers\ctaud2k.sys
11:45:25.0531 2376 ctaud2k - ok
11:45:25.0968 2376 ctdvda2k (c4333325d325efa668888d0d3177c6ff) C:\WINDOWS\system32\drivers\ctdvda2k.sys
11:45:25.0968 2376 ctdvda2k - ok
11:45:26.0343 2376 ctprxy2k (1fa95c8cf34b9911e352a07ea7a200fc) C:\WINDOWS\system32\drivers\ctprxy2k.sys
11:45:26.0343 2376 ctprxy2k - ok
11:45:26.0750 2376 ctsfm2k (400cb754b91f73bee2655686a57269d2) C:\WINDOWS\system32\drivers\ctsfm2k.sys
11:45:26.0750 2376 ctsfm2k - ok
11:45:27.0062 2376 dac2w2k - ok
11:45:27.0359 2376 dac960nt - ok
11:45:27.0703 2376 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:45:27.0703 2376 Disk - ok
11:45:28.0312 2376 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:45:28.0312 2376 dmboot - ok
11:45:28.0718 2376 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:45:28.0718 2376 dmio - ok
11:45:29.0078 2376 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:45:29.0078 2376 dmload - ok
11:45:29.0484 2376 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:45:29.0484 2376 DMusic - ok
11:45:29.0812 2376 dpti2o - ok
11:45:30.0140 2376 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:45:30.0140 2376 drmkaud - ok
11:45:30.0562 2376 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:45:30.0562 2376 E100B - ok
11:45:30.0953 2376 emupia (7bb488ec082d40645936d9e583f560dc) C:\WINDOWS\system32\drivers\emupia2k.sys
11:45:30.0953 2376 emupia - ok
11:45:31.0312 2376 ENUM1394 (80d1b490b60e74e002dc116ec5d41748) C:\WINDOWS\system32\DRIVERS\enum1394.sys
11:45:31.0312 2376 ENUM1394 - ok
11:45:31.0718 2376 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:45:31.0718 2376 Fastfat - ok
11:45:32.0093 2376 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:45:32.0093 2376 Fdc - ok
11:45:32.0468 2376 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:45:32.0468 2376 Fips - ok
11:45:32.0843 2376 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:45:32.0843 2376 Flpydisk - ok
11:45:33.0250 2376 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:45:33.0250 2376 FltMgr - ok
11:45:33.0609 2376 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:45:33.0609 2376 Fs_Rec - ok
11:45:33.0937 2376 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:45:33.0953 2376 Ftdisk - ok
11:45:34.0312 2376 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
11:45:34.0312 2376 gameenum - ok
11:45:34.0671 2376 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:45:34.0671 2376 Gpc - ok
11:45:35.0234 2376 ha10kx2k (9bb84b1dff8bce7fdddea746f6819fcf) C:\WINDOWS\system32\drivers\ha10kx2k.sys
11:45:35.0250 2376 ha10kx2k - ok
11:45:35.0687 2376 hap16v2k (1418833169b29780fbdab127623b8767) C:\WINDOWS\system32\drivers\hap16v2k.sys
11:45:35.0687 2376 hap16v2k - ok
11:45:36.0093 2376 hap17v2k (8b3148391dc121d96d513785d588e75b) C:\WINDOWS\system32\drivers\hap17v2k.sys
11:45:36.0093 2376 hap17v2k - ok
11:45:36.0500 2376 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:45:36.0500 2376 HidUsb - ok
11:45:36.0812 2376 hpn - ok
11:45:37.0140 2376 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
11:45:37.0140 2376 HPZid412 - ok
11:45:37.0531 2376 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
11:45:37.0531 2376 HPZipr12 - ok
11:45:37.0906 2376 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
11:45:37.0906 2376 HPZius12 - ok
11:45:38.0312 2376 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
11:45:38.0312 2376 HSFHWBS2 - ok
11:45:38.0968 2376 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
11:45:38.0984 2376 HSF_DP - ok
11:45:39.0390 2376 HTCAND32 (cbd09ed9cf6822177ee85aea4d8816a2) C:\WINDOWS\system32\Drivers\ANDROIDUSB.sys
11:45:39.0390 2376 HTCAND32 - ok
11:45:39.0734 2376 htcnprot (04e3b3554076b8192a668efe88a682a1) C:\WINDOWS\system32\DRIVERS\htcnprot.sys
11:45:39.0750 2376 htcnprot - ok
11:45:40.0156 2376 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:45:40.0156 2376 HTTP - ok
11:45:40.0484 2376 i2omgmt - ok
11:45:40.0781 2376 i2omp - ok
11:45:41.0109 2376 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:45:41.0109 2376 i8042prt - ok
11:45:41.0437 2376 ifp800 - ok
11:45:41.0796 2376 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:45:41.0796 2376 Imapi - ok
11:45:42.0109 2376 ini910u - ok
11:45:42.0406 2376 IntelIde - ok
11:45:42.0765 2376 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:45:42.0765 2376 intelppm - ok
11:45:43.0125 2376 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:45:43.0125 2376 ip6fw - ok
11:45:43.0484 2376 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
11:45:43.0484 2376 IPFilter - ok
11:45:43.0828 2376 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:45:43.0828 2376 IpFilterDriver - ok
11:45:44.0187 2376 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:45:44.0187 2376 IpInIp - ok
11:45:44.0609 2376 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:45:44.0609 2376 IpNat - ok
11:45:44.0984 2376 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:45:44.0984 2376 IPSec - ok
11:45:45.0359 2376 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:45:45.0359 2376 IRENUM - ok
11:45:45.0718 2376 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:45:45.0718 2376 isapnp - ok
11:45:46.0078 2376 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:45:46.0078 2376 Kbdclass - ok
11:45:46.0484 2376 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:45:46.0500 2376 kmixer - ok
11:45:46.0921 2376 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:45:46.0921 2376 KSecDD - ok
11:45:47.0078 2376 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
11:45:47.0078 2376 Lavasoft Kernexplorer - ok
11:45:47.0468 2376 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
11:45:47.0468 2376 Lbd - ok
11:45:47.0781 2376 lbrtfdc - ok
11:45:48.0109 2376 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
11:45:48.0109 2376 LVPr2Mon - ok
11:45:48.0562 2376 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
11:45:48.0562 2376 LVRS - ok
11:45:48.0968 2376 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:45:48.0968 2376 mdmxsdk - ok
11:45:49.0343 2376 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
11:45:49.0343 2376 mf - ok
11:45:49.0781 2376 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys
11:45:49.0781 2376 mfeapfk - ok
11:45:50.0187 2376 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys
11:45:50.0187 2376 mfeavfk - ok
11:45:50.0531 2376 mfeavfk01 - ok
11:45:50.0875 2376 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys
11:45:50.0875 2376 mfebopk - ok
11:45:51.0312 2376 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS\system32\drivers\mfefirek.sys
11:45:51.0328 2376 mfefirek - ok
11:45:51.0812 2376 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys
11:45:51.0828 2376 mfehidk - ok
11:45:52.0203 2376 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
11:45:52.0203 2376 mfendisk - ok
11:45:52.0250 2376 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
11:45:52.0250 2376 mfendiskmp - ok
11:45:52.0656 2376 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys
11:45:52.0656 2376 mferkdet - ok
11:45:53.0031 2376 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys
11:45:53.0031 2376 mfetdi2k - ok
11:45:53.0406 2376 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:45:53.0406 2376 mnmdd - ok
11:45:53.0781 2376 MOBKFilter (e896775837a8bce436348df460522394) C:\WINDOWS\system32\DRIVERS\MOBK.sys
11:45:53.0796 2376 MOBKFilter - ok
11:45:54.0171 2376 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:45:54.0171 2376 Modem - ok
11:45:54.0531 2376 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
11:45:54.0546 2376 MODEMCSA - ok
11:45:54.0890 2376 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:45:54.0890 2376 Mouclass - ok
11:45:55.0265 2376 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:45:55.0265 2376 mouhid - ok
11:45:55.0687 2376 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:45:55.0687 2376 MountMgr - ok
11:45:56.0000 2376 mraid35x - ok
11:45:56.0359 2376 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:45:56.0359 2376 MRxDAV - ok
11:45:56.0843 2376 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:45:56.0859 2376 MRxSmb - ok
11:45:57.0218 2376 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:45:57.0218 2376 Msfs - ok
11:45:57.0609 2376 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:45:57.0609 2376 MSKSSRV - ok
11:45:57.0937 2376 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:45:57.0937 2376 MSPCLOCK - ok
11:45:58.0281 2376 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:45:58.0281 2376 MSPQM - ok
11:45:58.0656 2376 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:45:58.0656 2376 mssmbios - ok
11:45:59.0015 2376 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:45:59.0015 2376 MSTEE - ok
11:45:59.0421 2376 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:45:59.0421 2376 Mup - ok
11:45:59.0812 2376 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:45:59.0812 2376 NABTSFEC - ok
11:46:00.0203 2376 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:46:00.0203 2376 NDIS - ok
11:46:00.0593 2376 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
11:46:00.0593 2376 ndiscm - ok
11:46:00.0968 2376 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:46:00.0968 2376 NdisIP - ok
11:46:01.0328 2376 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:46:01.0328 2376 NdisTapi - ok
11:46:01.0718 2376 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:46:01.0718 2376 Ndisuio - ok
11:46:02.0093 2376 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:46:02.0093 2376 NdisWan - ok
11:46:02.0468 2376 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:46:02.0468 2376 NDProxy - ok
11:46:02.0875 2376 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:46:02.0890 2376 NetBIOS - ok
11:46:03.0281 2376 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:46:03.0281 2376 NetBT - ok
11:46:03.0734 2376 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:46:03.0734 2376 NIC1394 - ok
11:46:04.0250 2376 NOVATIONXSTATION (f95fe0cfec29247e869272dbcf3d613c) C:\WINDOWS\system32\Drivers\XStnUSB.sys
11:46:04.0250 2376 NOVATIONXSTATION - ok
11:46:04.0656 2376 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:46:04.0656 2376 Npfs - ok
11:46:05.0171 2376 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:46:05.0171 2376 Ntfs - ok
11:46:05.0578 2376 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:46:05.0578 2376 Null - ok
11:46:07.0078 2376 nv (5645072033c2e51386e91bc137c0beb5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:46:07.0109 2376 nv - ok
11:46:07.0500 2376 NVNR25AUSB (693881d730f1fc0a790eaebb02228e92) C:\WINDOWS\system32\Drivers\XStation.sys
11:46:07.0500 2376 NVNR25AUSB - ok
11:46:07.0859 2376 NvnUsbAudio (73d4112d75e188bc161b3695c401db86) C:\WINDOWS\system32\DRIVERS\nvnusbaudio.sys
11:46:07.0859 2376 NvnUsbAudio - ok
11:46:08.0203 2376 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:46:08.0218 2376 NwlnkFlt - ok
11:46:08.0593 2376 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:46:08.0593 2376 NwlnkFwd - ok
11:46:08.0953 2376 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:46:08.0953 2376 ohci1394 - ok
11:46:09.0328 2376 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
11:46:09.0328 2376 OMCI - ok
11:46:09.0734 2376 ossrv (01e1ab8249f9dde5978c6b4af18eda7c) C:\WINDOWS\system32\drivers\ctoss2k.sys
11:46:09.0750 2376 ossrv - ok
11:46:10.0109 2376 P1110VID (56ebd7c43be8c9e129d452828c1532d8) C:\WINDOWS\system32\DRIVERS\P1110Vid.sys
11:46:10.0109 2376 P1110VID - ok
11:46:10.0484 2376 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:46:10.0484 2376 Parport - ok
11:46:10.0843 2376 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:46:10.0843 2376 PartMgr - ok
11:46:11.0203 2376 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:46:11.0203 2376 ParVdm - ok
11:46:11.0640 2376 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:46:11.0640 2376 PCI - ok
11:46:11.0953 2376 PCIDump - ok
11:46:12.0265 2376 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:46:12.0265 2376 PCIIde - ok
11:46:12.0703 2376 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:46:12.0703 2376 Pcmcia - ok
11:46:13.0015 2376 PDCOMP - ok
11:46:13.0281 2376 PDFRAME - ok
11:46:13.0562 2376 PDRELI - ok
11:46:13.0859 2376 PDRFRAME - ok
11:46:14.0187 2376 pepifilter (b20f958b207e6aaac5f70d04dd2c30d8) C:\WINDOWS\system32\DRIVERS\lv302af.sys
11:46:14.0187 2376 pepifilter - ok
11:46:14.0546 2376 perc2 - ok
11:46:14.0890 2376 perc2hib - ok
11:46:16.0031 2376 PID_PEPI (dd184d9adfe2a8a21741dbdfe9e22f5c) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
11:46:16.0062 2376 PID_PEPI - ok
11:46:16.0437 2376 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
11:46:16.0437 2376 Point32 - ok
11:46:16.0859 2376 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:46:16.0859 2376 PptpMiniport - ok
11:46:17.0218 2376 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
11:46:17.0234 2376 Processor - ok
11:46:17.0625 2376 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:46:17.0625 2376 PSched - ok
11:46:17.0984 2376 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:46:17.0984 2376 Ptilink - ok
11:46:18.0312 2376 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
11:46:18.0312 2376 PxHelp20 - ok
11:46:18.0640 2376 ql1080 - ok
11:46:18.0968 2376 Ql10wnt - ok
11:46:19.0312 2376 ql12160 - ok
11:46:19.0609 2376 ql1240 - ok
11:46:19.0906 2376 ql1280 - ok
11:46:20.0218 2376 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:46:20.0218 2376 RasAcd - ok
11:46:20.0609 2376 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:46:20.0609 2376 Rasl2tp - ok
11:46:21.0000 2376 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:46:21.0000 2376 RasPppoe - ok
11:46:21.0359 2376 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:46:21.0359 2376 Raspti - ok
11:46:21.0781 2376 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:46:21.0781 2376 Rdbss - ok
11:46:22.0156 2376 RDID1058 (43c4a53da3bc84f8f59e74017932c539) C:\WINDOWS\system32\Drivers\rdwm1058.sys
11:46:22.0156 2376 RDID1058 - ok
11:46:22.0500 2376 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:46:22.0515 2376 RDPCDD - ok
11:46:22.0890 2376 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:46:22.0890 2376 RDPWD - ok
11:46:23.0265 2376 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:46:23.0265 2376 redbook - ok
11:46:23.0437 2376 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
11:46:23.0437 2376 SASDIFSV - ok
11:46:23.0593 2376 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
11:46:23.0593 2376 SASKUTIL - ok
11:46:23.0953 2376 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:46:23.0953 2376 Secdrv - ok
11:46:24.0343 2376 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:46:24.0343 2376 serenum - ok
11:46:24.0765 2376 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:46:24.0765 2376 Serial - ok
11:46:25.0140 2376 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:46:25.0140 2376 Sfloppy - ok
11:46:25.0468 2376 Simbad - ok
11:46:25.0796 2376 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:46:25.0796 2376 SLIP - ok
11:46:26.0109 2376 smwdm - ok
11:46:26.0390 2376 Sparrow - ok
11:46:26.0750 2376 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:46:26.0750 2376 splitter - ok
11:46:27.0140 2376 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:46:27.0140 2376 sr - ok
11:46:27.0593 2376 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:46:27.0593 2376 Srv - ok
11:46:27.0953 2376 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:46:27.0968 2376 streamip - ok
11:46:28.0312 2376 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:46:28.0312 2376 swenum - ok
11:46:28.0703 2376 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:46:28.0703 2376 swmidi - ok
11:46:29.0015 2376 symc810 - ok
11:46:29.0312 2376 symc8xx - ok
11:46:29.0656 2376 sym_hi - ok
11:46:29.0953 2376 sym_u3 - ok
11:46:30.0296 2376 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:46:30.0296 2376 sysaudio - ok
11:46:30.0796 2376 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:46:30.0796 2376 Tcpip - ok
11:46:31.0140 2376 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:46:31.0140 2376 TDPIPE - ok
11:46:31.0484 2376 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:46:31.0484 2376 TDTCP - ok
11:46:31.0890 2376 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:46:31.0890 2376 TermDD - ok
11:46:32.0234 2376 TosIde - ok
11:46:32.0562 2376 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:46:32.0562 2376 Udfs - ok
11:46:32.0921 2376 ultra - ok
11:46:33.0359 2376 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:46:33.0359 2376 Update - ok
11:46:33.0781 2376 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
11:46:33.0781 2376 usbaudio - ok
11:46:34.0093 2376 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:46:34.0093 2376 usbccgp - ok
11:46:34.0468 2376 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:46:34.0468 2376 usbehci - ok
11:46:34.0875 2376 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:46:34.0875 2376 usbhub - ok
11:46:35.0234 2376 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:46:35.0234 2376 usbprint - ok
11:46:35.0593 2376 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:46:35.0593 2376 usbscan - ok
11:46:35.0968 2376 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:46:35.0968 2376 USBSTOR - ok
11:46:36.0328 2376 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:46:36.0343 2376 usbuhci - ok
11:46:36.0718 2376 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:46:36.0718 2376 VgaSave - ok
11:46:37.0031 2376 ViaIde - ok
11:46:37.0359 2376 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:46:37.0359 2376 VolSnap - ok
11:46:38.0328 2376 VX6000 (3a5f9d943e2566e59163b2502fa684f8) C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys
11:46:38.0343 2376 VX6000 - ok
11:46:38.0734 2376 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:46:38.0734 2376 Wanarp - ok
11:46:39.0203 2376 Wdf01000 (4769596d7cc0f5fa447d2babc239672a) C:\WINDOWS\system32\Drivers\wdf01000.sys
11:46:39.0218 2376 Wdf01000 - ok
11:46:39.0578 2376 WDICA - ok
11:46:39.0953 2376 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:46:39.0953 2376 wdmaud - ok
11:46:40.0515 2376 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:46:40.0515 2376 winachsf - ok
11:46:40.0953 2376 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:46:40.0953 2376 WSTCODEC - ok
11:46:41.0312 2376 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:46:41.0312 2376 WudfPf - ok
11:46:41.0687 2376 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:46:41.0687 2376 WudfRd - ok
11:46:42.0062 2376 XSTAUDIO (eb23aab456cd3031f4c0ce75888807ab) C:\WINDOWS\system32\drivers\XStAudio.sys
11:46:42.0062 2376 XSTAUDIO - ok
11:46:42.0140 2376 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:46:42.0343 2376 \Device\Harddisk0\DR0 - ok
11:46:42.0375 2376 Boot (0x1200) (fa3a3871cf7cf6fc81b86ee9ab64666e) \Device\Harddisk0\DR0\Partition0
11:46:42.0375 2376 \Device\Harddisk0\DR0\Partition0 - ok
11:46:42.0375 2376 ============================================================
11:46:42.0375 2376 Scan finished
11:46:42.0375 2376 ============================================================
11:46:42.0390 2452 Detected object count: 0
11:46:42.0390 2452 Actual detected object count: 0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:25 PM

Posted 04 December 2011 - 01:19 PM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.6

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]



TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 magus73

magus73
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 04 December 2011 - 04:11 PM

I will follow your last instructions but wanted to mention McAfee popped up an alert saying "potentially Unwanted Program Blocked" Tool-NirCmd was quarantined from "system volume info/_restore" Should I Remove or Allow?

Thanks

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:25 PM

Posted 04 December 2011 - 04:12 PM

allow that is part of combofix


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 magus73

magus73
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 04 December 2011 - 06:42 PM

Thanks.

1. I tried to remove Adobe Reader but it gave me an "Error 1402 Could not 0pen key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsotf\CurrentVersion\Run\Optional\Components\IMAIL. Verify you have sufficient access..." and would not remove it. I clicked OK and it said "Fatal error during installation."

2. Ran TFC - no problems
3. Ran MBAM - nothing found - log below
4. Ran HiJackThis - log below

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8311

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/4/2011 4:56:58 PM
mbam-log-2011-12-04 (16-56-57).txt

Scan type: Quick scan
Objects scanned: 178805
Time elapsed: 16 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:31:34 PM, on 12/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-17&installtype=force&dtag=5brbp41&langid=1&systempopup=true
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111108182040.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HTC Sync Loader] "C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Dropbox.lnk = C:\Documents and Settings\\Application Data\Dropbox\bin\Dropbox.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Dropbox.lnk = C:\Documents and Settings\\Application Data\Dropbox\bin\Dropbox.exe (User 'Default user')
O4 - .DEFAULT Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://www.moviegroup.tv/activex/DownloadMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

--
End of file - 12088 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:25 PM

Posted 04 December 2011 - 08:38 PM

Hello

run this script then try adobe again


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 magus73

magus73
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 05 December 2011 - 09:56 AM

Hello and again thank you so much for all your work.

I dragged in the CFScript, ComboFix ran, and produced the log below. I was also immediately able to uninstall Adobe Reader. I'll give Foxit a shot. Thanks for the tip. Computer seems to be running normally.

ComboFix 11-12-04.04 - 12/04/2011 21:50:46.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2600 [GMT -6:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\dasetup.log
c:\windows\My.ini
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-05 to 2011-12-05 )))))))))))))))))))))))))))))))
.
.
2011-12-04 23:31 . 2011-12-04 23:31 388096 ----a-r- c:\documents and settings\\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-04 23:30 . 2011-12-04 23:30 -------- d-----w- c:\program files\Trend Micro
2011-11-30 03:29 . 2011-11-30 14:24 -------- d-----w- c:\documents and settings\\Application Data\Malwarebytes
2011-11-30 03:29 . 2011-11-30 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-30 03:29 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 03:29 . 2011-11-30 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-30 02:15 . 2011-11-30 02:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-11-30 02:13 . 2011-11-30 02:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-11-30 02:03 . 2011-11-30 02:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-11-29 23:54 . 2011-11-29 23:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-29 23:29 . 2011-11-29 23:29 -------- d-----w- c:\program files\Common Files\Java
2011-11-29 23:29 . 2011-10-03 11:06 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-11-29 23:29 . 2011-10-03 11:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-29 23:28 . 2011-11-29 23:29 -------- d-----w- c:\program files\Java
2011-11-29 17:38 . 2011-11-29 17:38 -------- d-----w- c:\documents and settings\\Application Data\SUPERAntiSpyware.com
2011-11-29 17:38 . 2011-11-29 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-11-16 21:09 . 2009-04-30 23:01 265496 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-11-16 21:09 . 2009-04-30 22:55 13976 ----a-w- c:\windows\system32\drivers\lv302af.sys
2011-11-16 21:07 . 2011-11-16 21:07 -------- d-----w- c:\program files\Logitech
2011-11-11 15:38 . 2011-11-11 15:44 -------- d-----w- c:\program files\MIDIOX
2011-11-11 15:33 . 2011-11-11 16:02 -------- d-----w- c:\program files\Novation
2011-11-11 15:33 . 2011-10-05 18:46 41944 ----a-w- c:\windows\system32\drivers\nvnusbaudio.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-26 15:27 . 2011-06-06 23:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-15 19:16 . 2010-07-15 14:05 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-07-15 14:05 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-07-15 14:05 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2010-07-15 14:05 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-07-15 14:05 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-06-01 01:32 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-06-01 01:32 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2010-04-23 02:22 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 19:16 . 2010-04-23 02:22 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 19:16 . 2010-04-23 02:22 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-10 14:22 . 2005-11-21 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-05 18:46 . 2011-11-11 15:33 20312 ----a-w- c:\windows\system32\nvnusbaudio_coinst.dll
2011-09-28 07:06 . 2005-11-21 16:32 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2003-07-16 20:40 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2003-07-16 20:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-21 17:30 . 2005-11-21 23:36 1880 ----a-w- c:\windows\AUTOLNCH.REG
2011-09-06 13:20 . 2005-11-21 16:31 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 22:48 . 2011-06-06 23:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-07-15 14:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-08-12 86016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-06-12 200704]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]
"VX6000"="c:\windows\vVX6000.exe" [2009-07-24 764256]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"nwiz"="nwiz.exe" [2006-08-12 1519616]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-04-26 593920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
.
c:\documents and settings\\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-15 110592]
Dropbox.lnk - c:\documents and settings\\Application Data\Dropbox\bin\Dropbox.exe [2011-8-22 24182896]
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=c:\documents and settings\\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=c:\windows\pss\WinMySQLadmin.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
/L:ENG [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2011-08-15 13:49 1191216 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 07:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 22:45 28672 ----a-w- c:\windows\system32\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 15:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-08-11 20:56 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-06-12 09:13 200704 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
2000-12-05 19:02 86016 ----a-w- c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPPPTA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 17:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-02-05 23:52 849280 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2009-07-24 20:05 118640 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 19:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-12 00:25 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-12 03:43 7630848 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-12 03:43 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-08-12 16:33 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-22 17:20 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IntuitUpdateService"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"bgsvcgen"=2 (0x2)
"MOBKbackup"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\BitZip\\bitzip.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Documents and Settings\\\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/18/2009 9:12 AM 64288]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [11/26/2005 8:54 AM 4064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/22/2010 8:22 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [7/15/2010 8:07 AM 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/15/2010 8:05 AM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/15/2010 8:05 AM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/15/2010 8:05 AM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/15/2010 8:06 AM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/15/2010 8:05 AM 150856]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [3/31/2011 3:08 PM 80896]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/15/2010 8:05 AM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/15/2010 8:05 AM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 8:22 PM 83856]
S3 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [6/14/2008 11:02 AM 17408]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/21/2005 2:02 PM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/21/2005 2:02 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [11/21/2005 2:02 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [11/21/2005 2:02 PM 10368]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [8/3/2011 9:32 AM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 5:01 PM 21248]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/15/2011 8:04 AM 15232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 8:22 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/22/2010 8:22 PM 87656]
S3 Newpogr;Newpogr; [x]
S3 NOVATIONXSTATION;USB ASIO driver for Novation X-Station;c:\windows\system32\drivers\XStnUSB.sys [1/4/2007 9:19 PM 325504]
S3 NVNR25AUSB;Novation XStation USB MIDI WDM Driver;c:\windows\system32\drivers\XStation.sys [1/4/2007 9:19 PM 38858]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [11/11/2011 9:33 AM 41944]
S3 RDID1058;EDIROL UM-3;c:\windows\system32\drivers\Rdwm1058.sys [9/17/2006 11:16 AM 67778]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [8/2/2009 10:33 PM 2074464]
S3 XSTAUDIO;X-Station Audio;c:\windows\system32\drivers\XStAudio.sys [1/4/2007 9:19 PM 23392]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2011 1:47 AM 2152152]
S4 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 7:11 PM 229688]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-09 07:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-17&installtype=force&dtag=5brbp41&langid=1&systempopup=true
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
FF - ProfilePath - c:\documents and settings\\Application Data\Mozilla\Firefox\Profiles\0wt82vwp.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-04 22:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-329068152-1275210071-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-329068152-1275210071-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b8,13,ce,5a,fb,cc,60,ca,5a,ab,55,a8,97,59,5f,36,42,be,11,08,0f,74,92,
5f,24,3b,2a,dd,48,d3,53,b0,dd,33,de,f9,66,e4,06,ae,d1,ed,5a,af,d4,72,aa,b0,\
"??"=hex:4b,25,46,08,c0,4d,77,b4,3d,92,b5,18,fd,d2,b1,2c
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1124)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4144)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\nview.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\documents and settings\\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-12-04 22:27:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-05 04:27
ComboFix2.txt 2011-12-04 15:36
.
Pre-Run: 8,677,888,000 bytes free
Post-Run: 8,659,664,896 bytes free
.
- - End Of File - - 0CF08ABA78B4E0759688E5FB933ABF37




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users