Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd behaviour after removing Vista Home Security


  • This topic is locked This topic is locked
36 replies to this topic

#1 egerren

egerren

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 17 December 2011 - 04:17 PM

***EDIT***
I was told to run ComboFix.... I did and it removed several files; now I get a blue screen on startup. Safe mode works, no internet on safe mode with networking.



Several days ago, I got rid of a Vista Home Security virus, but my computer is still acting strangely. Every now and then when I'm on Firefox, an extra tab will open with some website I've never heard of (usually "Women's Health" or "News Canary.") I've been referred here from my topic in "Am I Infected?" (http://www.bleepingcomputer.com/forums/topic432577.html)

Logs...

GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-16 13:18:23
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC40C
Running: iv6df74b.exe; Driver: C:\Users\Emi\AppData\Local\Temp\pwrirkoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x87C49498]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x87C494C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x87C494AE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x87C49484]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8262C1A0 5 Bytes JMP 87C49488 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 827E82F0 5 Bytes JMP 87C494C6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 82829AFE 7 Bytes JMP 87C4949C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8282A155 5 Bytes JMP 87C494B2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\System32\svchost.exe[780] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00E30000
.text C:\Windows\System32\svchost.exe[780] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00E3001B
.text C:\Windows\System32\svchost.exe[780] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00E30FE5
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00E400D3
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00E40F97
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00E40109
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 00E40F72
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00E4009D
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00E40FD4
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00E40076
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00E40FC3
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 00E400B8
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00E40065
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00E4004A
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00E40FA8
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00E40F4D
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 00E40011
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00E40000
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00E40FE5
.text C:\Windows\System32\svchost.exe[780] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00E400EE
.text C:\Windows\System32\svchost.exe[780] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00E50F92
.text C:\Windows\System32\svchost.exe[780] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00E50027
.text C:\Windows\System32\svchost.exe[780] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 00E50FB7
.text C:\Windows\System32\svchost.exe[780] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00E50FE3
.text C:\Windows\System32\svchost.exe[780] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00E5000C
.text C:\Windows\System32\svchost.exe[780] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 00E50FD2
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00E60FA8
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00E60FB9
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00E60FEF
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00E60040
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 00E60065
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00E6001B
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00E6000A
.text C:\Windows\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00E60FCA
.text C:\Windows\system32\services.exe[788] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 0016000A
.text C:\Windows\system32\services.exe[788] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 0016002F
.text C:\Windows\system32\services.exe[788] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00160FEF
.text C:\Windows\system32\services.exe[788] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00170F72
.text C:\Windows\system32\services.exe[788] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 001700AE
.text C:\Windows\system32\services.exe[788] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 001700EE
.text C:\Windows\system32\services.exe[788] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 00170F57
.text C:\Windows\system32\services.exe[788] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00170F9E
.text C:\Windows\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 0017005B
.text C:\Windows\system32\services.exe[788] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00170076
.text C:\Windows\system32\services.exe[788] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00170FD4
.text C:\Windows\system32\services.exe[788] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 00170F8D
.text C:\Windows\system32\services.exe[788] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00170FB9
.text C:\Windows\system32\services.exe[788] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00170FE5
.text C:\Windows\system32\services.exe[788] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 0017009D
.text C:\Windows\system32\services.exe[788] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00170109
.text C:\Windows\system32\services.exe[788] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 0017001B
.text C:\Windows\system32\services.exe[788] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00170000
.text C:\Windows\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00170040
.text C:\Windows\system32\services.exe[788] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 001700C9
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 001E0F83
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 001E0FA5
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 001E0F94
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 001E0F68
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 001E000A
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 001E0FD4
.text C:\Windows\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 001E001B
.text C:\Windows\system32\services.exe[788] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 001D0FD4
.text C:\Windows\system32\services.exe[788] msvcrt.dll!system 75FF8B63 5 Bytes JMP 001D005F
.text C:\Windows\system32\services.exe[788] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\services.exe[788] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 001D000C
.text C:\Windows\system32\services.exe[788] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 001D004E
.text C:\Windows\system32\services.exe[788] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 001D0029
.text C:\Windows\system32\services.exe[788] WS2_32.dll!socket 771436D1 5 Bytes JMP 00860FEF
.text C:\Windows\system32\services.exe[788] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 00870000
.text C:\Windows\system32\services.exe[788] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 00870FD4
.text C:\Windows\system32\services.exe[788] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 00870FEF
.text C:\Windows\system32\services.exe[788] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 00870FC3
.text C:\Windows\system32\lsass.exe[804] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00210000
.text C:\Windows\system32\lsass.exe[804] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00210FD1
.text C:\Windows\system32\lsass.exe[804] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00210011
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00230F2F
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00230F40
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00230F03
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 0023009A
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00230F87
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00230033
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00230FA2
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00230044
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 00230F76
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 0023005F
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00230FBD
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00230F5B
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 002300AB
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 00230011
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00230000
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00230022
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00230F1E
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00560039
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyA 7606B8AE 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00560FB2
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 0056000A
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00560FA1
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 0056004A
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00560FDE
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00560FEF
.text C:\Windows\system32\lsass.exe[804] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00560FCD
.text C:\Windows\system32\lsass.exe[804] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 0055005A
.text C:\Windows\system32\lsass.exe[804] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00550049
.text C:\Windows\system32\lsass.exe[804] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 0055002E
.text C:\Windows\system32\lsass.exe[804] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00550000
.text C:\Windows\system32\lsass.exe[804] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00550FD9
.text C:\Windows\system32\lsass.exe[804] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 0055001D
.text C:\Windows\system32\lsass.exe[804] WS2_32.dll!socket 771436D1 5 Bytes JMP 00570FE5
.text C:\Windows\system32\lsass.exe[804] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 00220FEF
.text C:\Windows\system32\lsass.exe[804] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 00220FD4
.text C:\Windows\system32\lsass.exe[804] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 0022000A
.text C:\Windows\system32\lsass.exe[804] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 00220FAF
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 001A000A
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 001A0025
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 001A0FEF
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 001B0F4B
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 001B0F66
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 001B0F30
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 001B00C7
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 001B007D
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 001B001B
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 001B006C
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 001B0051
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 001B0F92
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 001B0FAF
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 001B0036
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 001B0F81
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 001B00D8
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 001B0FE5
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 001B0000
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 001B0FCA
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 001B00AC
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 001C0064
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!system 75FF8B63 5 Bytes JMP 001C0049
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 001C002E
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 001C0FD9
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 001C0011
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 001D005B
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 001D002F
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 001D004A
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 001D0F9E
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 001D0FC3
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 001D0FD4
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 001D001E
.text C:\Windows\system32\svchost.exe[1004] WS2_32.dll!socket 771436D1 5 Bytes JMP 00410FEF
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 0090000A
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00900FDE
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00DD0EF7
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00DD003D
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00DD0073
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 00DD0EDC
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00DD0F48
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00DD0011
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00DD0F65
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00DD0F9B
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 00DD0F2D
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00DD0F80
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00DD0022
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00DD0F12
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00DD0ECB
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 00DD0FCA
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00DD0FE5
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00DD0058
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00DE0F89
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00DE0014
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 00DE0FB5
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00DE0FE3
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00DE0FA4
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 00DE0FC6
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00DF0051
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00DF001B
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00DF0040
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 00DF0F94
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00DF0FCA
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00DF0FB9
.text C:\Windows\system32\svchost.exe[1072] WS2_32.dll!socket 771436D1 5 Bytes JMP 01000FEF
.text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 00D2000A
.text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 00D20FDB
.text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 00D2001B
.text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 00D20036
.text C:\Windows\System32\svchost.exe[1128] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00930FEF
.text C:\Windows\System32\svchost.exe[1128] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00930000
.text C:\Windows\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00930FCA
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00920096
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00920F50
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00920F17
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 009200B8
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00920F86
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00920039
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00920060
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00920FB2
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 0092007B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00920F97
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00920FCD
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00920F61
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00920F06
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 0092000A
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00920FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00920FDE
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 009200A7
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00D80F9C
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00D80FB7
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 00D8001D
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00D80000
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00D80FC8
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 00D80FE3
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00DD0F90
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 7606B8AE 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00DD0FB2
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00DD0000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00DD0FA1
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 00DD004D
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00DD0FD4
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00DD0FE5
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00DD0FC3
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 771436D1 5 Bytes JMP 00DE0FEF
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 00420FEF
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 0042000A
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 00420FD4
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 0042002F
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00DF0000
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00DF0FCA
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 01640F70
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 016400B6
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 016400D1
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 75CB1C36 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 01640F3A
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 01640FA6
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 01640FC3
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 01640080
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 01640054
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 01640F95
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 0164006F
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 0164002F
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 0164009B
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 016400E2
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 0164000A
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 01640FEF
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 01640FD4
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 01640F5F
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 016A0025
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!system 75FF8B63 5 Bytes JMP 016A000A
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 016A0FAB
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 016A0FEF
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 016A0F9A
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 016A0FC6
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 016F0047
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 016F001B
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 016F0FEF
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 016F0036
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 016F0062
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 016F0FD4
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 016F000A
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 016F0FAF
.text C:\Windows\System32\svchost.exe[1220] WS2_32.dll!socket 771436D1 5 Bytes JMP 0170000A
.text C:\Windows\System32\svchost.exe[1220] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 017A0000
.text C:\Windows\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 017A0011
.text C:\Windows\System32\svchost.exe[1220] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 017A0FE5
.text C:\Windows\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 017A002C
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 010A0FEF
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 010A0FCA
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 010A0000
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 76F98F18 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!KiUserExceptionDispatcher 76F99648 5 Bytes JMP 0058000A
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 012B0095
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 012B0F59
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 012B0F19
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 012B00A6
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 012B0069
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 012B003D
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 012B0F9B
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 012B004E
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 012B0084
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 012B0FB6
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 012B0FD1
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 012B0F74
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 012B00C1
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 012B001B
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 012B0000
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 012B002C
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 012B0F2A
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 01380FCD
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!system 75FF8B63 5 Bytes JMP 01380FDE
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 0138003A
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 01380000
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 01380FEF
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 01380029
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 013D004E
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 013D002C
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 013D0FEF
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 013D003D
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 013D005F
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 013D001B
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 013D0000
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 013D0FC0
.text C:\Windows\system32\svchost.exe[1240] WS2_32.dll!socket 771436D1 5 Bytes JMP 013E0FEF
.text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 01250000
.text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 0125001B
.text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 01250FE5
.text C:\Windows\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 01250036
.text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00080025
.text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00080FEF
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00D00098
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00D00F52
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00D00F15
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 00D00F30
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00D00F7E
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00D00036
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00D00FA5
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00D00FC0
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 00D00F6D
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00D00062
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00D00047
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00D00073
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00D00F04
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 00D00FE5
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00D00000
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00D0001B
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00D00F41
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00D10F9C
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00D10031
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 00D10FC1
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00D10FEF
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00D10016
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 00D10FDE
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00DA0025
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00DA0F9E
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00DA0FE5
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00DA0F83
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 00DA0036
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00DA0FB9
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00DA0FD4
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00DA0014
.text C:\Windows\system32\svchost.exe[1432] WS2_32.dll!socket 771436D1 5 Bytes JMP 00DF0FE5
.text C:\Windows\system32\svchost.exe[1432] WinInet.dll!InternetOpenA 757B0A4D 5 Bytes JMP 00430FE5
.text C:\Windows\system32\svchost.exe[1432] WinInet.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 00430025
.text C:\Windows\system32\svchost.exe[1432] WinInet.dll!InternetOpenW 757B30C8 5 Bytes JMP 0043000A
.text C:\Windows\system32\svchost.exe[1432] WinInet.dll!InternetOpenUrlW 75808515 5 Bytes JMP 00430040
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00420FE5
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 0042000A
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00420FCA
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00CC0F4D
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00CC0F5E
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00CC00D3
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 00CC0F3C
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00CC006E
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00CC002F
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00CC0F94
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00CC0040
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 00CC0F79
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00CC0051
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00CC0FB9
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00CC0089
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00CC0F21
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 00CC0FEF
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00CC000A
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00CC0FD4
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00CC00B8
.text C:\Windows\system32\svchost.exe[1800] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00D1005D
.text C:\Windows\system32\svchost.exe[1800] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00D1004C
.text C:\Windows\system32\svchost.exe[1800] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 00D1001D
.text C:\Windows\system32\svchost.exe[1800] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00D10FEF
.text C:\Windows\system32\svchost.exe[1800] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00D10FD2
.text C:\Windows\system32\svchost.exe[1800] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 00D1000C
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00D60FB2
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00D60FC3
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00D60000
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00D6004A
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 00D60065
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00D60025
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00D60FEF
.text C:\Windows\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00D60FD4
.text C:\Windows\system32\svchost.exe[1800] WS2_32.dll!socket 771436D1 5 Bytes JMP 00D70000
.text C:\Windows\system32\svchost.exe[1800] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 00CB0000
.text C:\Windows\system32\svchost.exe[1800] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 00CB0FDE
.text C:\Windows\system32\svchost.exe[1800] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 00CB0FEF
.text C:\Windows\system32\svchost.exe[1800] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 00CB0039
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 34A10FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 34A10FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 34A10000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 34C300B5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 34C300A4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 34C30F4A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 34C300E1
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 34C30F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 34C30FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 34C30076
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 34C3004A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 34C30093
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 34C30065
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 34C30FC3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 34C30F83
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 34C300FC
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 34C3001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 34C30000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 34C30FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 34C300D0
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 34C40F9A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] msvcrt.dll!system 75FF8B63 5 Bytes JMP 34C40FAB
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 34C40FC6
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 34C40FE3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 34C4001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 34C40000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 34C50FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 34C50040
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 34C50000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 34C50051
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 34C50076
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 34C5002F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 34C50FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 34C50FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] WS2_32.dll!socket 771436D1 5 Bytes JMP 34C60FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 34A20000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 34A2001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 34A20FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2156] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 34A20036
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2344] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00EF000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2344] ntdll.dll!NtWriteVirtualMemory 76F98F18 5 Bytes JMP 00F0000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2344] ntdll.dll!KiUserExceptionDispatcher 76F99648 5 Bytes JMP 00DC000A
.text C:\Windows\system32\svchost.exe[2440] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00D60FEF
.text C:\Windows\system32\svchost.exe[2440] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00D60FC3
.text C:\Windows\system32\svchost.exe[2440] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00D60FD4
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 00D7006D
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00D70F27
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00D700AD
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 00D7009C
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00D70F5A
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00D70FC3
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00D70F6B
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00D70F97
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 00D70F49
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00D70F7C
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00D70FA8
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00D70F38
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00D700BE
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 00D7000A
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00D70FEF
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 00D70FD4
.text C:\Windows\system32\svchost.exe[2440] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00D70F16
.text C:\Windows\system32\svchost.exe[2440] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00D80069
.text C:\Windows\system32\svchost.exe[2440] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00D8004E
.text C:\Windows\system32\svchost.exe[2440] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 00D80FEF
.text C:\Windows\system32\svchost.exe[2440] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00D8000C
.text C:\Windows\system32\svchost.exe[2440] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00D80FDE
.text C:\Windows\system32\svchost.exe[2440] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 00D8001D
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00D90FA5
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00D90047
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00D90000
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00D90FC0
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 00D90062
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00D9001B
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00D90FDB
.text C:\Windows\system32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00D9002C
.text C:\Windows\system32\svchost.exe[2440] WS2_32.dll!socket 771436D1 5 Bytes JMP 00DA000A
.text C:\Windows\System32\svchost.exe[2516] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2516] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00050025
.text C:\Windows\System32\svchost.exe[2516] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00050FE5
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 000600BD
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 00060F77
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 000600FD
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 000600EC
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 00060091
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00060FD4
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 00060076
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00060FC3
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 000600A2
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00060065
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00060040
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 00060F92
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00060118
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 0006000A
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 0006001B
.text C:\Windows\System32\svchost.exe[2516] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00060F66
.text C:\Windows\System32\svchost.exe[2516] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00070049
.text C:\Windows\System32\svchost.exe[2516] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00070FBE
.text C:\Windows\System32\svchost.exe[2516] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 0007002E
.text C:\Windows\System32\svchost.exe[2516] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00070000
.text C:\Windows\System32\svchost.exe[2516] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00070FD9
.text C:\Windows\System32\svchost.exe[2516] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 00070011
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00080051
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 0008002F
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00080FE5
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00080040
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 0008006C
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00080FD4
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00080000
.text C:\Windows\System32\svchost.exe[2516] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 00080FB9
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2740] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 6F009A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2740] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 6F0099A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[3680] ntdll.dll!NtCreateFile 76F97C78 5 Bytes JMP 00040FE5
.text C:\Windows\Explorer.EXE[3680] ntdll.dll!NtCreateProcess 76F97D38 5 Bytes JMP 00040FB9
.text C:\Windows\Explorer.EXE[3680] ntdll.dll!NtProtectVirtualMemory 76F985D8 5 Bytes JMP 00040FD4
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!GetStartupInfoW 75CB1929 5 Bytes JMP 000100F2
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!GetStartupInfoA 75CB19C9 5 Bytes JMP 000100E1
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!CreateProcessW 75CB1C01 5 Bytes JMP 00010139
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!CreateProcessA 75CB1C36 5 Bytes JMP 00010128
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!VirtualProtect 75CB1DD1 5 Bytes JMP 0001009A
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!CreateNamedPipeW 75CB5C44 5 Bytes JMP 00010040
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!LoadLibraryExW 75CD374A 5 Bytes JMP 0001007D
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!LoadLibraryW 75CD382D 5 Bytes JMP 00010062
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!VirtualProtectEx 75CD8F5E 5 Bytes JMP 000100B5
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!LoadLibraryExA 75CD9649 5 Bytes JMP 00010FC0
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!LoadLibraryA 75CD9671 5 Bytes JMP 00010051
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!CreatePipe 75CE0474 5 Bytes JMP 000100C6
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!GetProcAddress 75CFBAC6 5 Bytes JMP 00010F87
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!CreateFileW 75CFCE4E 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!CreateFileA 75CFD171 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!CreateNamedPipeA 75D4462E 5 Bytes JMP 0001002F
.text C:\Windows\Explorer.EXE[3680] kernel32.dll!WinExec 75D4580B 5 Bytes JMP 00010117
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegCreateKeyExA 7606B5E7 5 Bytes JMP 00060F86
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegCreateKeyA 7606B8AE 1 Byte [E9]
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegCreateKeyA 7606B8AE 5 Bytes JMP 00060FB2
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegOpenKeyA 76070BF5 5 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegCreateKeyW 7607B83D 5 Bytes JMP 00060F97
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegCreateKeyExW 7607BCE1 5 Bytes JMP 00060039
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegOpenKeyExA 7607D4E8 5 Bytes JMP 00060FCD
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegOpenKeyW 76083CB0 5 Bytes JMP 00060FDE
.text C:\Windows\Explorer.EXE[3680] ADVAPI32.dll!RegOpenKeyExW 7608F09D 5 Bytes JMP 0006001E
.text C:\Windows\Explorer.EXE[3680] msvcrt.dll!_wsystem 75FF8A47 5 Bytes JMP 00070FB7
.text C:\Windows\Explorer.EXE[3680] msvcrt.dll!system 75FF8B63 5 Bytes JMP 00070042
.text C:\Windows\Explorer.EXE[3680] msvcrt.dll!_creat 75FFC6F1 5 Bytes JMP 00070FD2
.text C:\Windows\Explorer.EXE[3680] msvcrt.dll!_open 75FFDA7E 5 Bytes JMP 00070FEF
.text C:\Windows\Explorer.EXE[3680] msvcrt.dll!_wcreat 75FFDC9E 5 Bytes JMP 00070027
.text C:\Windows\Explorer.EXE[3680] msvcrt.dll!_wopen 75FFDE79 5 Bytes JMP 0007000C
.text C:\Windows\Explorer.EXE[3680] WS2_32.dll!socket 771436D1 5 Bytes JMP 0308000A
.text C:\Windows\Explorer.EXE[3680] WININET.dll!InternetOpenA 757B0A4D 5 Bytes JMP 03180FEF
.text C:\Windows\Explorer.EXE[3680] WININET.dll!InternetOpenUrlA 757B2713 5 Bytes JMP 03180FCA
.text C:\Windows\Explorer.EXE[3680] WININET.dll!InternetOpenW 757B30C8 5 Bytes JMP 0318000A
.text C:\Windows\Explorer.EXE[3680] WININET.dll!InternetOpenUrlW 75808515 5 Bytes JMP 0318001B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[944] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0001A4B0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[944] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0001A510] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FB8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FF9855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FBB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FAFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FB7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FAEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73FEB12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73FBBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FB0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FB06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FA71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7403D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73FD7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FAE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73FA697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73FA69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3680] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FB2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB59234$\1350081819 0 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877 0 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\@ 2048 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\bckfg.tmp 852 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\cfg.ini 208 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\keywords 236 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\L 0 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\L\qnbwvoto 273408 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\U 0 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\U\80000000.@ 1024 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB59234$\2853653877\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----



=============================================================================


DDS:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
Run by Emi at 13:00:21 on 2011-12-17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1977.853 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Windows\PixArt\PAC207\Monitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Users\Emi\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0109&m=aspire_4730z
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0109&m=aspire_4730z
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0109&m=aspire_4730z
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:60121
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111112131246.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [sjinrxjq] c:\users\emi\appdata\local\cjappmyep\vjyfcuruqiw.exe
uRun: [14547955] c:\users\emi\appdata\local\temp\jucheck.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [eRecoveryService]
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [EarthLink Installer] " /C
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\users\emi\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\emi\appdata\roaming\micros~1\windows\startm~1\programs\startup\orion.lnk - c:\program files\convesoft\orion\Messenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E7AEE8D3-6310-4545-A043-2DB8577BC8A9} : DhcpNameServer = 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\emi\appdata\roaming\mozilla\firefox\profiles\wpxffyqg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/?charityid=845878
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60121
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\onlive\firefoxplugin\npolgdet.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\emi\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\emi\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-13 464176]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-13 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-13 165680]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-8-18 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-5 94880]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-13 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-13 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-13 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-13 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-13 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-13 150856]
R2 MSSQL$SOSHOME309;SQL Server (SOSHOME309);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-8-5 29184016]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-13 57600]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-8-15 93968]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-13 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-13 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-13 338176]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2008-8-18 388096]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-8-16 13480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2009-10-9 29184]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-28 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-13 87656]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2007-6-12 508416]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-8-16 16168]
.
=============== Created Last 30 ================
.
2011-12-07 21:41:45 -------- d-----w- c:\users\emi\appdata\roaming\WTablet
2011-12-07 21:41:43 -------- d-----w- c:\users\emi\appdata\roaming\WTouch
.
==================== Find3M ====================
.
2011-12-04 19:50:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-15 18:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 18:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 18:16:16 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 18:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 18:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 18:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 18:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 18:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 18:16:16 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 18:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
============= FINISH: 13:11:32.50 ===============



The other file is attached.


Thank you all so much for your help!

Attached Files


Edited by egerren, 18 December 2011 - 02:48 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,828 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:11 PM

Posted 17 December 2011 - 05:58 PM

:welcome:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 egerren

egerren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 18 December 2011 - 01:13 PM

I ran Combofix; everything seemed okay, then I rebooted and got a bluescreen (with error "irql_not_less_or_equal"). It starts okay in Safe Mode, but we have no internet in Safe Mode with Networking.
Thanks for your help, again!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,828 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:11 PM

Posted 18 December 2011 - 03:42 PM

Click on the Start button, type MSconfig and press Enter. Select the Services tab. Hide Microsoft services and deselect all services left. Click on Apply, then OK, restart the computer in Normal Mode.


Let me know if successful.


Combofix logs are in the C:\ folder. See if you can extract these files on a flash drive and post their content.

Lets try to scan the computer from an external point. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

Edited by JSntgRvr, 18 December 2011 - 03:49 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 egerren

egerren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 19 December 2011 - 10:15 AM

I got it loaded! The problem only happens when I try to log in to my account-- my dad thinks something in my startup folder has a problem. I'm currently using his account.

ComboFix log:

ComboFix 11-12-17.03 - Emi 12/18/2011 8:22.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1977.1287 [GMT -5:00]
Running from: c:\users\Emi\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Emi\AppData\Roaming\.#
c:\users\Emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore
c:\users\Emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnk
c:\users\Emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\users\Lisa\Documents\~WRL0003.tmp
c:\users\Lisa\Documents\~WRL0004.tmp
c:\users\Lisa\Documents\~WRL0005.tmp
c:\users\Samuel\AppData\Roaming\.#
c:\windows\$NtUninstallKB59234$\1350081819
c:\windows\$NtUninstallKB59234$\2853653877\@
c:\windows\$NtUninstallKB59234$\2853653877\bckfg.tmp
c:\windows\$NtUninstallKB59234$\2853653877\cfg.ini
c:\windows\$NtUninstallKB59234$\2853653877\Desktop.ini
c:\windows\$NtUninstallKB59234$\2853653877\keywords
c:\windows\$NtUninstallKB59234$\2853653877\kwrd.dll
c:\windows\$NtUninstallKB59234$\2853653877\L\qnbwvoto
c:\windows\$NtUninstallKB59234$\2853653877\lsflt7.ver
c:\windows\$NtUninstallKB59234$\2853653877\U\00000001.@
c:\windows\$NtUninstallKB59234$\2853653877\U\00000002.@
c:\windows\$NtUninstallKB59234$\2853653877\U\00000004.@
c:\windows\$NtUninstallKB59234$\2853653877\U\80000000.@
c:\windows\$NtUninstallKB59234$\2853653877\U\80000004.@
c:\windows\$NtUninstallKB59234$\2853653877\U\80000032.@
.
.
((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))
.
.
2011-12-18 13:39 . 2011-12-18 13:40 -------- d-----w- c:\users\Emi\AppData\Local\temp
2011-12-18 13:39 . 2011-12-18 13:39 -------- d-----w- c:\users\Samuel\AppData\Local\temp
2011-12-18 13:39 . 2011-12-18 13:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-18 13:39 . 2011-12-18 13:39 -------- d-----w- c:\users\Neil\AppData\Local\temp
2011-12-18 13:39 . 2011-12-18 13:39 -------- d-----w- c:\users\Lisa\AppData\Local\temp
2011-12-07 21:41 . 2011-12-17 17:52 -------- d-----w- c:\users\Emi\AppData\Roaming\WTablet
2011-12-07 21:41 . 2011-12-07 21:41 -------- d-----w- c:\users\Emi\AppData\Roaming\WTouch
2011-11-20 21:57 . 2011-11-20 21:57 -------- d-----w- c:\users\Emi\AppData\Roaming\Nikon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-04 19:50 . 2011-06-27 11:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 06:53 . 2011-11-11 02:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-07-03 01:52 . 2009-10-28 01:45 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2011-04-14 18:01 . 2010-08-14 02:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-05 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"="/C" [X]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-20 6244896]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-02 850440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-22 159744]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-03 30192]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-13 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
.
c:\users\Emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]
Orion.lnk - c:\program files\Convesoft\Orion\Messenger.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-28 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R2 MSSQL$SOSHOME309;SQL Server (SOSHOME309);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe [2008-01-21 21504]
R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\Drivers\dsiarhwprog.sys [2007-02-08 29184]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-03 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-12 508416]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-08-27 16168]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-06-02 24576]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-11-24 4497704]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-11-24 113448]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-31 93968]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2008-07-01 388096]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\DRIVERS\WacomVTHid.sys [2009-07-09 13480]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:25]
.
2011-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:25]
.
2011-12-16 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0109&m=aspire_4730z
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:60121
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\wpxffyqg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/?charityid=845878
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60121
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} - c:\users\Emi\AppData\Local\Temp\viu.dll
HKCU-Run-sjinrxjq - c:\users\Emi\AppData\Local\cjappmyep\vjyfcuruqiw.exe
HKLM-Run-eRecoveryService - (no file)
AddRemove-_{53A908D4-99C6-469B-BC13-F4189F260742} - c:\program files\Corel\Corel Painter Essentials 4\MSILauncher {53A908D4-99C6-469B-BC13-F4189F260742}
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-18 08:40
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-12-18 08:45:23
ComboFix-quarantined-files.txt 2011-12-18 13:45
.
Pre-Run: 18,571,898,880 bytes free
Post-Run: 19,853,762,560 bytes free
.
- - End Of File - - 98EEEB216CED56CD93D0A810B5EBAA73



Anything look off?
Thanks so much!

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,828 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:11 PM

Posted 19 December 2011 - 12:03 PM

I got it loaded! The problem only happens when I try to log in to my account-- my dad thinks something in my startup folder has a problem. I'm currently using his account.


Startup folder or your profile is corrupted.

Are other profiles affected?
Emi
Samuel
Neil
Lisa



Does your profile has Administrative rights? Are you able to run Combofix under your profile even if it is in Safe Mode? If you do, post its report.

Edited by JSntgRvr, 19 December 2011 - 12:05 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 egerren

egerren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 19 December 2011 - 02:20 PM

The problem only started after I ran ComboFix; I'm a little scared things will get worse if I run it again D: Is there something else I can do?

Neil is not affected; I will check Lisa and Sam.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,828 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:11 PM

Posted 19 December 2011 - 03:02 PM

The report above indicates Combofix was ran just once under the profile Emi. Was Combofix removed after running it while in your profile? Which of the above is your profile? Lets run FRST. You will need a flash drive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 egerren

egerren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 19 December 2011 - 05:42 PM

ComboFix is still on my profile, Emi.

Here ya go!

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.0
Ran by SYSTEM at 2011-12-19 17:34:32
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [526896 2008-07-29] (Egis Incorporated)
HKLM\...\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [28672 2008-04-25] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [850440 2008-07-02] (Dritek System Inc.)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [159744 2007-07-21] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-07-02] (Google)
HKLM\...\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [405504 2008-08-01] (Acer Inc.)
HKLM\...\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
HKLM\...\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup [3387392 2007-11-26] (Leader Technologies)
HKLM\...\Run: [EarthLink Installer] " /C [x]
HKLM\...\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe [319488 2006-11-03] (PixArt Imaging Incorporation)
HKLM\...\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207360 2010-03-18] (ArcSoft Inc.)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [198160 2010-01-13] (RealNetworks, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-08-10] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-09-01] (Apple Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Emi\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-03-04] (Google Inc.)
HKU\Emi\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Lisa\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-03-04] (Google Inc.)
HKU\Lisa\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Neil\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Neil\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-03-04] (Google Inc.)
HKU\Neil\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Neil\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Samuel\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-03-04] (Google Inc.)
HKU\Samuel\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
Tcpip\..\Interfaces\{C966F92B-F884-40CE-8096-7E5FAFC26918}: [NameServer]192.168.1.254

================================ Services (Whitelisted) ==================

2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 AgereModemAudio; C:\Windows\system32\agrsmsvc.exe [13312 2008-03-18] (Agere Systems)
2 BUNAgentSvc; "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe" [16384 2008-03-03] (NewTech Infosystems, Inc.)
2 eDataSecurity Service; "C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe" [500784 2008-07-29] (Egis Incorporated)
2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-06-02] ()
3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-07-02] (Google)
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [110592 2007-12-06] ()
2 MSSQL$SOSHOME309; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSOSHOME309 [29184016 2008-08-05] (Microsoft Corporation)
4 MSSQLServerADHelper; "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [45272 2005-10-13] (Microsoft Corporation)
2 NTIBackupSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [45056 2008-04-25] (NewTech InfoSystems, Inc.)
2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-25] ()
2 SQLBrowser; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [242544 2007-02-10] (Microsoft Corporation)
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [89968 2007-02-10] (Microsoft Corporation)
2 TabletServicePen; C:\Windows\system32\Pen_Tablet.exe [4497704 2009-11-23] (Wacom Technology, Corp.)
2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [113448 2009-11-23] (Wacom Technology, Corp.)
2 XMLProvS; C:\Windows\system32\xmlprw32.dll [x]

========================== Drivers (Whitelisted) =============

3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1202560 2008-02-29] (Agere Systems)
3 ApfiltrService; C:\Windows\System32\DRIVERS\Apfiltr.sys [166960 2008-02-18] (Alps Electric Co., Ltd.)
3 DKbFltr; C:\Windows\System32\DRIVERS\DKbFltr.sys [21264 2006-11-02] (Dritek System Inc.)
3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2008-01-20] (Microsoft Corporation)
1 DritekPortIO; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)
3 dsiarhwprog; C:\Windows\System32\Drivers\dsiarhwprog.sys [29184 2007-02-08] (Thesycon GmbH, Germany)
3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57672 2009-02-17] (FTDI Ltd.)
3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [72520 2009-02-17] (FTDI Ltd.)
2 int15; \??\C:\Windows\system32\drivers\int15.sys [15392 2008-06-02] (Acer, Inc.)
3 JMCR; C:\Windows\System32\DRIVERS\jmcr.sys [93968 2008-05-30] (JMicron Technology Corp.)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 netr28; C:\Windows\System32\DRIVERS\netr28.sys [388096 2008-07-01] (Ralink Technology, Corp.)
3 NTIDrvr; C:\Windows\System32\DRIVERS\NTIDrvr.sys [14848 2008-01-30] (NewTech Infosystems, Inc.)
3 PAC207; C:\Windows\System32\DRIVERS\PFC027.SYS [508416 2007-06-12] (PixArt Imaging Inc.)
0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [18992 2008-07-29] (Egis Incorporated)
2 PSDNServ; C:\Windows\System32\DRIVERS\PSDNServ.sys [16944 2008-07-29] (Egis Incorporated)
2 psdvdisk; C:\Windows\System32\DRIVERS\PSDVdisk.sys [60464 2008-07-29] (Egis Incorporated)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [142848 2009-01-20] (Realtek Corporation )
4 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [41016 2008-01-20] (Microsoft Corporation)
0 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [13824 2008-01-30] (NewTech Infosystems Corporation)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2008-01-20] (Promise Technology, Inc.)
3 WacomVTHid; C:\Windows\System32\DRIVERS\WacomVTHid.sys [13480 2009-07-09] (Wacom Technology)
2 ASPI32; [x]
3 catchme; \??\C:\Users\Emi\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-19 17:34 - 2011-12-19 17:34 - 0000000 ____D C:\FRST
2011-12-19 10:38 - 2011-12-19 10:56 - 0029696 ____A C:\Users\Neil\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-18 13:24 - 2011-12-18 13:27 - 0000000 ____D C:\Windows\System32\oldcatroot2
2011-12-18 13:02 - 2011-12-18 13:08 - 0000000 ____D C:\Windows\System32\CatRoot2_2011121816911
2011-12-18 12:48 - 2011-12-18 12:53 - 0000000 ____D C:\Windows\System32\CatRoot2_2011121815580
2011-12-18 12:40 - 2011-12-18 12:40 - 0673280 ____A C:\Users\Neil\Downloads\MicrosoftFixit50528.msi
2011-12-18 11:49 - 2011-12-18 11:49 - 0000000 ____D C:\Users\Neil\AppData\Roaming\WTouch
2011-12-18 11:49 - 2011-12-18 11:49 - 0000000 ____D C:\Users\Neil\AppData\Roaming\WTablet
2011-12-18 11:48 - 2011-12-19 14:29 - 2072039424 __ASH C:\hiberfil.sys
2011-12-18 11:27 - 2011-12-18 11:27 - 0028561 ____A C:\Users\Emi\Desktop\sfcdetails.txt
2011-12-18 11:06 - 2011-12-18 11:46 - 0524288 ____A C:\Windows\SPInstall.etl
2011-12-18 09:53 - 2011-12-18 09:54 - 0141064 ____A C:\Windows\Minidump\Mini121811-04.dmp
2011-12-18 09:34 - 2011-12-18 09:34 - 0141064 ____A C:\Windows\Minidump\Mini121811-03.dmp
2011-12-18 09:33 - 2011-12-18 09:33 - 0141064 ____A C:\Windows\Minidump\Mini121811-02.dmp
2011-12-18 09:31 - 2011-12-18 09:53 - 178968353 ____A C:\Windows\MEMORY.DMP
2011-12-18 09:31 - 2011-12-18 09:31 - 0141080 ____A C:\Windows\Minidump\Mini121811-01.dmp
2011-12-18 05:46 - 2011-12-18 05:46 - 0011543 ____A C:\Users\Emi\Desktop\combofixlog.txt
2011-12-18 05:45 - 2011-12-18 11:49 - 0000000 __SHD C:\$RECYCLE.BIN
2011-12-18 05:45 - 2011-12-18 05:45 - 0011543 ____A C:\ComboFix.txt
2011-12-18 05:40 - 2011-12-18 05:40 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2011-12-17 16:30 - 2011-12-18 05:42 - 0000000 ____D C:\Windows\ERDNT
2011-12-17 16:30 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2011-12-17 16:30 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2011-12-17 16:30 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2011-12-17 16:30 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2011-12-17 16:30 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2011-12-17 16:30 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2011-12-17 16:30 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2011-12-17 16:30 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2011-12-17 16:29 - 2011-12-18 05:45 - 0000000 ____D C:\ComboFix
2011-12-17 15:45 - 2011-12-18 05:45 - 0000000 ____D C:\Qoobox
2011-12-17 15:43 - 2011-12-17 15:43 - 4342123 ___RA (Swearware) C:\Users\Emi\Desktop\ComboFix.exe
2011-12-17 10:15 - 2011-12-17 10:15 - 0016903 ____A C:\Users\Emi\Desktop\DDS.txt
2011-12-17 10:15 - 2011-12-17 10:15 - 0005109 ____A C:\Users\Emi\Desktop\Attach.txt
2011-12-17 09:59 - 2011-12-17 09:59 - 0607260 ___RA (Swearware) C:\Users\Emi\Downloads\dds.scr
2011-12-16 12:28 - 2011-12-16 12:28 - 0000000 ____A C:\Users\All Users\hYQHU2J3.dat
2011-12-16 12:28 - 2011-12-16 12:28 - 0000000 ____A C:\Users\All Users\Application Data\hYQHU2J3.dat
2011-12-16 12:28 - 2011-12-16 12:28 - 0000000 ____A C:\ProgramData\hYQHU2J3.dat
2011-12-16 10:21 - 2011-12-16 10:21 - 0395875 ____A C:\Users\Emi\Downloads\MiniToolBox.exe
2011-12-16 10:18 - 2011-12-16 10:18 - 0109937 ____A C:\Users\Emi\Desktop\gmer.log
2011-12-15 17:05 - 2011-12-15 17:05 - 0000000 ____A C:\Windows\setuperr.log
2011-12-15 17:05 - 2011-12-15 17:05 - 0000000 ____A C:\Windows\setupact.log
2011-12-15 13:14 - 2011-12-15 13:14 - 0869194 ____A C:\Users\Emi\Downloads\SecurityCheck.exe
2011-12-15 09:33 - 2011-12-15 09:33 - 0245429 ____A C:\Users\Emi\Desktop\Screenshot.jpg
2011-12-14 08:13 - 2011-12-14 08:13 - 0103365 ____A C:\Windows\System32\itusbcore.dat
2011-12-14 08:13 - 2011-12-14 08:13 - 0000197 ____A C:\Windows\System32\itlsvc.dat
2011-12-13 16:05 - 2011-12-13 16:09 - 0010780 __ASH C:\Users\Emi\AppData\Local\7d46il4s71x770
2011-12-13 16:05 - 2011-12-13 16:09 - 0010780 __ASH C:\Users\All Users\Application Data\7d46il4s71x770
2011-12-13 16:05 - 2011-12-13 16:09 - 0010780 __ASH C:\Users\All Users\7d46il4s71x770
2011-12-13 16:05 - 2011-12-13 16:09 - 0010780 __ASH C:\ProgramData\7d46il4s71x770
2011-12-11 12:26 - 2011-12-11 18:30 - 0013872 ____A C:\Users\Emi\Documents\Basic Japanese.docx
2011-12-07 13:41 - 2011-12-17 09:52 - 0000000 ____D C:\Users\Emi\AppData\Roaming\WTablet
2011-12-07 13:41 - 2011-12-07 13:41 - 0000000 ____D C:\Users\Emi\AppData\Roaming\WTouch
2011-12-07 09:20 - 2011-12-07 09:20 - 0000000 ____D C:\Users\Emi\Documents\Misc PDFs
2011-12-07 09:15 - 2011-12-07 09:45 - 0000000 ____D C:\Users\Emi\Documents\Audio Recordings
2011-12-04 18:24 - 2011-12-04 18:24 - 0239473 ____A C:\Users\Emi\Desktop\AsuComments.docx
2011-12-03 19:16 - 2011-12-06 15:20 - 0182980 ____A C:\Users\Emi\Desktop\Quicksilver.docx
2011-11-25 12:43 - 2011-11-25 12:43 - 7436772 ____A C:\Users\Emi\Desktop\FamilyPicture.jpg
2011-11-25 08:00 - 2011-12-07 10:16 - 0181889 ____A C:\Users\Emi\Desktop\breathetweaked.docx
2011-11-22 11:14 - 2011-11-22 11:14 - 0002077 ____A C:\Users\Public\Desktop\Google Earth.lnk
2011-11-21 08:00 - 2011-11-21 08:00 - 0000162 ___AH C:\Users\Emi\Documents\~$panese Topics.docx
2011-11-21 07:47 - 2011-11-21 07:47 - 0000162 ___AH C:\Users\Emi\Desktop\~$????.docx
2011-11-21 06:57 - 2011-11-21 06:57 - 0000162 ___AH C:\Users\Emi\Desktop\~$reathe.docx
2011-11-20 14:12 - 2011-11-20 14:12 - 0000000 ____A C:\Windows\ViewNX.INI
2011-11-20 13:57 - 2011-11-20 13:57 - 0000000 ____D C:\Users\Emi\AppData\Roaming\Nikon

============ 3 Months Modified Files and Folders ===============

2011-12-19 17:34 - 2011-12-19 17:34 - 0000000 ____D C:\FRST
2011-12-19 14:29 - 2011-12-18 11:48 - 2072039424 __ASH C:\hiberfil.sys
2011-12-19 14:29 - 2009-01-28 07:26 - 0000000 ____A C:\Windows\System32\LogConfigTemp.xml
2011-12-19 14:29 - 2008-08-18 18:25 - 0000147 ____A C:\Windows\System32\agent.log
2011-12-19 14:29 - 2008-01-20 18:47 - 9808030 ____A C:\Windows\PFRO.log
2011-12-19 14:29 - 2006-11-02 05:01 - 0032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-12-19 14:29 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-12-19 14:29 - 2006-11-02 04:47 - 0003216 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-12-19 14:29 - 2006-11-02 04:47 - 0003216 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-12-19 14:26 - 2009-01-28 07:05 - 1287028 ____A C:\Windows\WindowsUpdate.log
2011-12-19 14:12 - 2006-11-02 02:33 - 0769196 ____A C:\Windows\System32\PerfStringBackup.INI
2011-12-19 14:09 - 2010-05-07 08:25 - 0000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-12-19 10:56 - 2011-12-19 10:38 - 0029696 ____A C:\Users\Neil\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-19 10:56 - 2009-08-31 15:44 - 0000000 ____D C:\Users\Neil\AppData\Local\Adobe
2011-12-19 10:43 - 2009-03-06 15:36 - 0000000 ____D C:\Users\Neil\AppData\Roaming\Adobe
2011-12-18 14:59 - 2010-08-29 13:54 - 0000440 ____A C:\Windows\Tasks\ParetoLogic Registration3.job
2011-12-18 13:46 - 2010-02-02 13:26 - 0000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-12-18 13:27 - 2011-12-18 13:24 - 0000000 ____D C:\Windows\System32\oldcatroot2
2011-12-18 13:09 - 2009-12-05 18:06 - 0000000 ____D C:\Config.Msi
2011-12-18 13:08 - 2011-12-18 13:02 - 0000000 ____D C:\Windows\System32\CatRoot2_2011121816911
2011-12-18 12:53 - 2011-12-18 12:48 - 0000000 ____D C:\Windows\System32\CatRoot2_2011121815580
2011-12-18 12:50 - 2009-03-06 15:35 - 0000000 ____D C:\Users\Neil\AppData\Local\Google
2011-12-18 12:40 - 2011-12-18 12:40 - 0673280 ____A C:\Users\Neil\Downloads\MicrosoftFixit50528.msi
2011-12-18 11:49 - 2011-12-18 11:49 - 0000000 ____D C:\Users\Neil\AppData\Roaming\WTouch
2011-12-18 11:49 - 2011-12-18 11:49 - 0000000 ____D C:\Users\Neil\AppData\Roaming\WTablet
2011-12-18 11:49 - 2011-12-18 05:45 - 0000000 __SHD C:\$RECYCLE.BIN
2011-12-18 11:46 - 2011-12-18 11:06 - 0524288 ____A C:\Windows\SPInstall.etl
2011-12-18 11:46 - 2010-09-12 17:30 - 1153814 ____A C:\Windows\ntbtlog.txt
2011-12-18 11:27 - 2011-12-18 11:27 - 0028561 ____A C:\Users\Emi\Desktop\sfcdetails.txt
2011-12-18 11:19 - 2011-06-15 15:52 - 0273408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2011-12-18 11:19 - 2009-12-22 19:16 - 0001356 ____A C:\Users\Emi\AppData\Local\d3d9caps.dat
2011-12-18 09:54 - 2011-12-18 09:53 - 0141064 ____A C:\Windows\Minidump\Mini121811-04.dmp
2011-12-18 09:53 - 2011-12-18 09:31 - 178968353 ____A C:\Windows\MEMORY.DMP
2011-12-18 09:53 - 2009-08-16 12:57 - 0000000 ____D C:\Windows\Minidump
2011-12-18 09:34 - 2011-12-18 09:34 - 0141064 ____A C:\Windows\Minidump\Mini121811-03.dmp
2011-12-18 09:33 - 2011-12-18 09:33 - 0141064 ____A C:\Windows\Minidump\Mini121811-02.dmp
2011-12-18 09:31 - 2011-12-18 09:31 - 0141080 ____A C:\Windows\Minidump\Mini121811-01.dmp
2011-12-18 05:46 - 2011-12-18 05:46 - 0011543 ____A C:\Users\Emi\Desktop\combofixlog.txt
2011-12-18 05:45 - 2011-12-18 05:45 - 0011543 ____A C:\ComboFix.txt
2011-12-18 05:45 - 2011-12-17 16:29 - 0000000 ____D C:\ComboFix
2011-12-18 05:45 - 2011-12-17 15:45 - 0000000 ____D C:\Qoobox
2011-12-18 05:45 - 2006-11-02 03:18 - 0000000 ___RD C:\users\Public
2011-12-18 05:45 - 2006-11-02 03:18 - 0000000 ___RD C:\users\Default
2011-12-18 05:42 - 2011-12-17 16:30 - 0000000 ____D C:\Windows\ERDNT
2011-12-18 05:40 - 2011-12-18 05:40 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2011-12-18 05:40 - 2006-11-02 02:23 - 0000215 ____A C:\Windows\system.ini
2011-12-18 05:16 - 2008-08-18 18:07 - 0000000 ____D C:\Users\All Users\McAfee
2011-12-18 05:16 - 2008-08-18 18:07 - 0000000 ____D C:\Users\All Users\Application Data\McAfee
2011-12-18 05:16 - 2008-08-18 18:07 - 0000000 ____D C:\ProgramData\McAfee
2011-12-18 05:16 - 2008-08-18 18:07 - 0000000 ____D C:\Program Files\McAfee
2011-12-18 05:16 - 2008-08-18 18:07 - 0000000 ____D C:\Program Files\Common Files\McAfee
2011-12-18 05:01 - 2006-11-02 03:18 - 0000000 ___DC C:\Windows\$NtUninstallKB59234$
2011-12-17 16:29 - 2009-06-23 18:20 - 0000000 ____D C:\Program Files\Mozilla Firefox
2011-12-17 15:43 - 2011-12-17 15:43 - 4342123 ___RA (Swearware) C:\Users\Emi\Desktop\ComboFix.exe
2011-12-17 10:15 - 2011-12-17 10:15 - 0016903 ____A C:\Users\Emi\Desktop\DDS.txt
2011-12-17 10:15 - 2011-12-17 10:15 - 0005109 ____A C:\Users\Emi\Desktop\Attach.txt
2011-12-17 09:59 - 2011-12-17 09:59 - 0607260 ___RA (Swearware) C:\Users\Emi\Downloads\dds.scr
2011-12-17 09:52 - 2011-12-07 13:41 - 0000000 ____D C:\Users\Emi\AppData\Roaming\WTablet
2011-12-16 12:55 - 2009-03-05 15:31 - 0000000 ____D C:\Windows\PixArt
2011-12-16 12:28 - 2011-12-16 12:28 - 0000000 ____A C:\Users\All Users\hYQHU2J3.dat
2011-12-16 12:28 - 2011-12-16 12:28 - 0000000 ____A C:\Users\All Users\Application Data\hYQHU2J3.dat
2011-12-16 12:28 - 2011-12-16 12:28 - 0000000 ____A C:\ProgramData\hYQHU2J3.dat
2011-12-16 10:21 - 2011-12-16 10:21 - 0395875 ____A C:\Users\Emi\Downloads\MiniToolBox.exe
2011-12-16 10:18 - 2011-12-16 10:18 - 0109937 ____A C:\Users\Emi\Desktop\gmer.log
2011-12-15 18:02 - 2009-03-05 08:45 - 0042496 ____A C:\Users\Emi\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-15 17:05 - 2011-12-15 17:05 - 0000000 ____A C:\Windows\setuperr.log
2011-12-15 17:05 - 2011-12-15 17:05 - 0000000 ____A C:\Windows\setupact.log
2011-12-15 13:31 - 2006-11-02 03:18 - 0000000 ___SD C:\Windows\Downloaded Program Files
2011-12-15 13:14 - 2011-12-15 13:14 - 0869194 ____A C:\Users\Emi\Downloads\SecurityCheck.exe
2011-12-15 13:12 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\CatRoot2_20111218154346
2011-12-15 12:52 - 2006-11-02 02:24 - 52988224 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-12-15 09:33 - 2011-12-15 09:33 - 0245429 ____A C:\Users\Emi\Desktop\Screenshot.jpg
2011-12-14 18:49 - 2009-03-04 17:40 - 0000000 ____D C:\Users\Emi\AppData\Local\Google
2011-12-14 18:48 - 2010-09-11 04:32 - 0000419 ____A C:\rkill.log
2011-12-14 14:07 - 2010-08-17 10:44 - 0000000 ____A C:\Windows\System32\Pen_Tablet.dat
2011-12-14 13:14 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\system
2011-12-14 08:13 - 2011-12-14 08:13 - 0103365 ____A C:\Windows\System32\itusbcore.dat
2011-12-14 08:13 - 2011-12-14 08:13 - 0000197 ____A C:\Windows\System32\itlsvc.dat
2011-12-13 16:09 - 2011-12-13 16:05 - 0010780 __ASH C:\Users\Emi\AppData\Local\7d46il4s71x770
2011-12-13 16:09 - 2011-12-13 16:05 - 0010780 __ASH C:\Users\All Users\Application Data\7d46il4s71x770
2011-12-13 16:09 - 2011-12-13 16:05 - 0010780 __ASH C:\Users\All Users\7d46il4s71x770
2011-12-13 16:09 - 2011-12-13 16:05 - 0010780 __ASH C:\ProgramData\7d46il4s71x770
2011-12-12 17:09 - 2011-11-17 11:53 - 0012728 ____A C:\Users\Emi\Desktop\????.docx
2011-12-12 08:42 - 2010-06-23 05:07 - 0000000 ____D C:\Users\Emi\Documents\Stories
2011-12-12 08:33 - 2010-10-03 17:40 - 0000000 ____D C:\Users\Emi\Desktop\Icons
2011-12-11 19:11 - 2011-10-29 12:04 - 0019897 ____A C:\Users\Emi\Desktop\Breathe characters.docx
2011-12-11 18:30 - 2011-12-11 12:26 - 0013872 ____A C:\Users\Emi\Documents\Basic Japanese.docx
2011-12-10 06:31 - 2011-09-24 16:31 - 0000000 ____D C:\Program Files\Common Files\Blizzard Entertainment
2011-12-09 19:59 - 2011-09-22 13:40 - 0000000 ____D C:\Users\Emi\Desktop\breathe
2011-12-07 13:41 - 2011-12-07 13:41 - 0000000 ____D C:\Users\Emi\AppData\Roaming\WTouch
2011-12-07 10:16 - 2011-11-25 08:00 - 0181889 ____A C:\Users\Emi\Desktop\breathetweaked.docx
2011-12-07 09:46 - 2009-03-04 17:37 - 0000000 ____D C:\users\Emi
2011-12-07 09:45 - 2011-12-07 09:15 - 0000000 ____D C:\Users\Emi\Documents\Audio Recordings
2011-12-07 09:20 - 2011-12-07 09:20 - 0000000 ____D C:\Users\Emi\Documents\Misc PDFs
2011-12-06 15:20 - 2011-12-03 19:16 - 0182980 ____A C:\Users\Emi\Desktop\Quicksilver.docx
2011-12-06 09:42 - 2011-11-05 11:48 - 0000020 ____H C:\Users\All Users\PKP_DLdw.DAT
2011-12-06 09:42 - 2011-11-05 11:48 - 0000020 ____H C:\Users\All Users\Application Data\PKP_DLdw.DAT
2011-12-06 09:42 - 2011-11-05 11:48 - 0000020 ____H C:\ProgramData\PKP_DLdw.DAT
2011-12-05 18:09 - 2010-12-04 07:48 - 0000000 ____D C:\Users\Emi\Downloads\PaintToolSAI
2011-12-04 18:24 - 2011-12-04 18:24 - 0239473 ____A C:\Users\Emi\Desktop\AsuComments.docx
2011-12-04 11:50 - 2011-06-27 03:15 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-11-26 19:01 - 2011-11-01 04:09 - 0207575 ____A C:\Users\Emi\Desktop\breathe.docx
2011-11-25 12:43 - 2011-11-25 12:43 - 7436772 ____A C:\Users\Emi\Desktop\FamilyPicture.jpg
2011-11-22 11:14 - 2011-11-22 11:14 - 0002077 ____A C:\Users\Public\Desktop\Google Earth.lnk
2011-11-22 11:13 - 2009-01-28 07:23 - 0000000 ____D C:\Program Files\Google
2011-11-21 08:00 - 2011-11-21 08:00 - 0000162 ___AH C:\Users\Emi\Documents\~$panese Topics.docx
2011-11-21 07:47 - 2011-11-21 07:47 - 0000162 ___AH C:\Users\Emi\Desktop\~$????.docx
2011-11-21 06:57 - 2011-11-21 06:57 - 0000162 ___AH C:\Users\Emi\Desktop\~$reathe.docx
2011-11-20 14:12 - 2011-11-20 14:12 - 0000000 ____A C:\Windows\ViewNX.INI
2011-11-20 13:57 - 2011-11-20 13:57 - 0000000 ____D C:\Users\Emi\AppData\Roaming\Nikon
2011-11-14 15:02 - 2011-11-14 14:57 - 1839866 ____A C:\Users\Emi\Downloads\img012.jpg
2011-11-14 15:00 - 2011-11-14 14:57 - 2976124 ____A C:\Users\Emi\Downloads\img011.jpg
2011-11-14 14:59 - 2011-11-14 14:57 - 2774080 ____A C:\Users\Emi\Downloads\img010.jpg
2011-11-14 14:57 - 2011-11-14 14:57 - 0000000 ____D C:\Users\Emi\AppData\Roaming\WinRAR
2011-11-14 14:57 - 2011-11-14 14:56 - 0000000 ____D C:\Program Files\WinRAR
2011-11-14 14:56 - 2011-11-14 14:56 - 1448993 ____A C:\Users\Emi\Downloads\wrar401.exe
2011-11-14 14:54 - 2011-11-14 14:54 - 2556790 ____A C:\Users\Emi\Downloads\Pandora hearts - Lacie Music Box Piano (FULL).rar
2011-11-13 18:11 - 2011-11-13 18:11 - 0000000 ____D C:\Users\Lisa\AppData\Local\Unity
2011-11-13 18:11 - 2010-01-17 12:48 - 0000000 ____D C:\Users\Lisa\AppData\Roaming\Real
2011-11-13 17:13 - 2011-11-13 16:04 - 0015934 ____A C:\Users\Lisa\Documents\Toby had been wracking his brain as to where the missing watch and jewelry could be.docx
2011-11-10 18:10 - 2011-11-10 18:10 - 0000850 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2011-11-10 18:08 - 2011-11-10 18:08 - 14753912 ____A (Mozilla) C:\Users\Emi\Downloads\Firefox Setup 8.0.exe
2011-11-06 13:43 - 2009-12-18 13:38 - 0106312 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2011-11-06 13:42 - 2009-03-12 12:43 - 0008224 ____A C:\Users\Lisa\AppData\Local\GDIPFONTCACHEV1.DAT
2011-11-05 11:51 - 2011-11-05 11:51 - 0001830 ____A C:\Users\Public\Desktop\ViewNX.lnk
2011-11-05 11:51 - 2011-11-05 11:51 - 0000000 ____D C:\Program Files\Nikon
2011-11-05 11:51 - 2011-11-05 11:51 - 0000000 ____D C:\Program Files\Common Files\Nikon
2011-11-05 11:49 - 2011-11-05 11:49 - 0000000 ____D C:\Users\Emi\AppData\Local\PowerCinema
2011-11-05 11:48 - 2011-11-05 11:48 - 0000268 __RAH C:\Users\Emi\AppData\Roaming\Classical
2011-11-05 11:48 - 2011-11-05 11:48 - 0000268 ___RH C:\Users\All Users\ColorSync
2011-11-05 11:48 - 2011-11-05 11:48 - 0000268 ___RH C:\Users\All Users\Application Data\ColorSync
2011-11-05 11:48 - 2011-11-05 11:48 - 0000268 ___RH C:\ProgramData\ColorSync
2011-11-05 11:48 - 2011-11-05 11:48 - 0000012 ___RH C:\Users\All Users\Compressor
2011-11-05 11:48 - 2011-11-05 11:48 - 0000012 ___RH C:\Users\All Users\Application Data\Compressor
2011-11-05 11:48 - 2011-11-05 11:48 - 0000012 ___RH C:\ProgramData\Compressor
2011-11-05 11:48 - 2011-11-05 11:46 - 0000000 ____D C:\Users\All Users\Ultima_T15
2011-11-05 11:48 - 2011-11-05 11:46 - 0000000 ____D C:\Users\All Users\EnterNHelp
2011-11-05 11:48 - 2011-11-05 11:46 - 0000000 ____D C:\Users\All Users\Application Data\Ultima_T15
2011-11-05 11:48 - 2011-11-05 11:46 - 0000000 ____D C:\Users\All Users\Application Data\EnterNHelp
2011-11-05 11:48 - 2011-11-05 11:46 - 0000000 ____D C:\ProgramData\Ultima_T15
2011-11-05 11:48 - 2011-11-05 11:46 - 0000000 ____D C:\ProgramData\EnterNHelp
2011-11-05 11:46 - 2011-11-05 11:46 - 0000268 __RAH C:\Users\Emi\AppData\Roaming\Chorus
2011-11-05 11:46 - 2011-11-05 11:46 - 0000268 ___RH C:\Users\All Users\Clips
2011-11-05 11:46 - 2011-11-05 11:46 - 0000268 ___RH C:\Users\All Users\Application Data\Clips
2011-11-05 11:46 - 2011-11-05 11:46 - 0000268 ___RH C:\ProgramData\Clips
2011-11-05 11:46 - 2011-11-05 11:46 - 0000020 ____H C:\Users\All Users\PKP_DLdu.DAT
2011-11-05 11:46 - 2011-11-05 11:46 - 0000020 ____H C:\Users\All Users\Application Data\PKP_DLdu.DAT
2011-11-05 11:46 - 2011-11-05 11:46 - 0000020 ____H C:\ProgramData\PKP_DLdu.DAT
2011-11-05 11:46 - 2011-11-05 11:46 - 0000012 ___RH C:\Users\All Users\Command Line Utility
2011-11-05 11:46 - 2011-11-05 11:46 - 0000012 ___RH C:\Users\All Users\Application Data\Command Line Utility
2011-11-05 11:46 - 2011-11-05 11:46 - 0000012 ___RH C:\ProgramData\Command Line Utility
2011-11-04 13:43 - 2008-08-18 17:59 - 0000000 ____D C:\Program Files\InstallShield Installation Information
2011-11-04 13:20 - 2011-11-04 13:17 - 0000091 ____A C:\Users\All Users\PS.log
2011-11-04 13:20 - 2011-11-04 13:17 - 0000091 ____A C:\Users\All Users\Application Data\PS.log
2011-11-04 13:20 - 2011-11-04 13:17 - 0000091 ____A C:\ProgramData\PS.log
2011-11-04 13:20 - 2009-01-28 07:28 - 0000000 ____D C:\Users\All Users\CyberLink
2011-11-04 13:20 - 2009-01-28 07:28 - 0000000 ____D C:\Users\All Users\Application Data\CyberLink
2011-11-04 13:20 - 2009-01-28 07:28 - 0000000 ____D C:\ProgramData\CyberLink
2011-11-04 13:20 - 2009-01-28 07:28 - 0000000 ____D C:\Program Files\Acer Arcade Deluxe
2011-11-02 10:27 - 2009-03-04 17:39 - 0106312 ____A C:\Users\Emi\AppData\Local\GDIPFONTCACHEV1.DAT
2011-11-02 10:25 - 2006-11-02 04:47 - 0367376 ____A C:\Windows\System32\FNTCACHE.DAT
2011-10-18 11:27 - 2009-03-21 14:48 - 0000000 ____D C:\Users\Emi\AppData\Local\Adobe
2011-10-12 09:28 - 2011-10-12 09:27 - 0753480 ____A (Adobe Systems Incorporated) C:\Users\Emi\Downloads\install_flashplayer11x32_mssd_aih.exe
2011-10-12 05:17 - 2011-10-12 05:17 - 0684297 ____A C:\Users\Emi\Downloads\unhide.exe
2011-10-12 04:58 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\nap
2011-10-11 15:09 - 2010-09-11 04:24 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2011-09-30 09:31 - 2009-03-05 16:18 - 0039936 ____A C:\Users\Samuel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-09-28 09:12 - 2011-09-27 06:56 - 0000579 ____A C:\Users\Samuel\Desktop\World of Warcraft.lnk
2011-09-24 16:59 - 2011-09-24 16:31 - 0000000 ____D C:\Users\All Users\Blizzard Entertainment
2011-09-24 16:59 - 2011-09-24 16:31 - 0000000 ____D C:\Users\All Users\Application Data\Blizzard Entertainment
2011-09-24 16:59 - 2011-09-24 16:31 - 0000000 ____D C:\ProgramData\Blizzard Entertainment
2011-09-24 16:25 - 2011-09-24 16:24 - 32157120 ____A C:\Users\Samuel\Downloads\WOW-4.0.0.12911-enUS-Trial.exe
2011-09-23 13:01 - 2011-09-14 11:56 - 0000000 ____D C:\Program Files\GameFly
2011-09-23 04:31 - 2009-03-05 07:48 - 0000000 ____D C:\Users\Samuel\AppData\Local\Google
2011-09-21 06:28 - 2009-03-12 12:43 - 0000000 ____D C:\Users\Lisa\AppData\Local\Google

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-03-05 04:02] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0314880 ____A (Microsoft Corporation) C2610B6BDBEFC053BBDAB4F1B965CB24

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys
[2008-01-20 18:23] - [2008-01-20 18:23] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 1977.4 MB
Available physical RAM: 1729.63 MB
Total Pagefile: 1911.29 MB
Available Pagefile: 1790.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:111.44 GB) (Free:16.54 GB) NTFS ==>[System = boot components]
2 Drive d: (DATA) (Fixed) (Total:111.44 GB) (Free:47.37 GB) NTFS
4 Drive f: (LEXAR MEDIA) (Removable) (Total:0.12 GB) (Free:0.03 GB) FAT
5 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:1.35 GB) NTFS ==>[System = boot components]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 619 KB
Disk 1 Online 123 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 32 KB
Partition 2 Primary 111 GB 10 GB
Partition 3 Primary 111 GB 121 GB

Disk: 0
Partition 2
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C ACER NTFS Partition 111 GB Healthy



==========================================================

Last Boot: 2011-12-18 13:51

======================= End Of Log ==========================

Edited by egerren, 19 December 2011 - 05:42 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,828 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:11 PM

Posted 19 December 2011 - 07:09 PM

Download the enclosed file.

Save it in the USB drive.

Run FRST once again as you did before, except that this time around click on the Fix button and wait. If successful, FRST will create a report in the USB drive labeled, Fixlog.txt. Copy and paste the contents of this report in your next reply.

FRST will also create a folder in the USB drive labeled, Minidump. In a working computer, right click on the Minidump folder and select Send to, select "Compressed (zipped) folder". Than should create a zipped folder in the USB drive. Please attach this folder in your next reply.

The contents in the Minidump folder may give us an idea of what may be causing the error message.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 egerren

egerren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 20 December 2011 - 11:53 AM

Minidump is attached!
Fixlog:

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.0)
Ran by SYSTEM at 2011-12-20 11:48:16 R:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\EarthLink Installer Value deleted successfully.
XMLProvS service deleted successfully.
C:\Users\Emi\AppData\Local\7d46il4s71x770 moved successfully.
C:\Users\All Users\Application Data\7d46il4s71x770 moved successfully.
C:\Users\All Users\7d46il4s71x770 not found.
C:\ProgramData\7d46il4s71x770 not found.
C:\Users\All Users\Application Data\hYQHU2J3.dat moved successfully.
C:\ProgramData\hYQHU2J3.dat not found.

========= Mkdir F:\Minidump =========


========= End of CMD: =========


========= Copy C:\Windows\Minidump\Mini121811-01.dmp F:\Minidump =========

1 file(s) copied.

========= End of CMD: =========


========= Copy C:\Windows\Minidump\Mini121811-02.dmp F:\Minidump =========

1 file(s) copied.

========= End of CMD: =========


========= Copy C:\Windows\Minidump\Mini121811-03.dmp F:\Minidump =========

1 file(s) copied.

========= End of CMD: =========


========= Copy C:\Windows\Minidump\Mini121811-04.dmp F:\Minidump =========

1 file(s) copied.

========= End of CMD: =========


==== End of Fixlog ====

Attached Files



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,828 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:11 PM

Posted 20 December 2011 - 03:26 PM

There seems to be a conflict in memory. Lets see the contents of the C:\QooBox folder, which is Combofix quarantine.

Download the enclosed file. Overwrite the existing one.

Save it in the USB drive.

Run FRST once again as you did before, except that this time around click on the Fix button and wait. If successful, FRST will create a report in the USB drive labeled, Fixlog.txt. Copy and paste the contents of this report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 egerren

egerren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 20 December 2011 - 05:26 PM

Here you go!

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.0)
Ran by SYSTEM at 2011-12-20 17:23:19 R:2
Running from F:\

==============================================


========= Dir /a c:\QooBox /s =========

Volume in drive C is ACER
Volume Serial Number is 00DD-FBF3

Directory of c:\QooBox

12/20/2011 12:52 PM <DIR> .
12/20/2011 12:52 PM <DIR> ..
12/18/2011 05:44 AM 4,248 Add-Remove Programs.txt
12/17/2011 04:33 PM <DIR> BackEnv
12/18/2011 05:45 AM 3,844 ComboFix-quarantined-files.txt
12/17/2011 04:33 PM <DIR> Quarantine
12/18/2011 05:43 AM 0 SnapShot@2011-12-18_13.40.59.dat
3 File(s) 8,092 bytes

Directory of c:\QooBox\Quarantine

12/17/2011 04:33 PM <DIR> .
12/17/2011 04:33 PM <DIR> ..
12/18/2011 05:38 AM <DIR> C
12/18/2011 05:22 AM 113 catchme.log
12/18/2011 05:44 AM <DIR> Registry_backups
1 File(s) 113 bytes

Directory of c:\QooBox\Quarantine\C

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Users
12/18/2011 05:01 AM <DIR> Windows
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Emi
12/18/2011 05:38 AM <DIR> Lisa
12/18/2011 05:38 AM <DIR> Samuel
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> AppData
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Roaming
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData\Roaming

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> .#
12/18/2011 05:38 AM <DIR> Microsoft
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData\Roaming\.#

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData\Roaming\Microsoft

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Windows
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData\Roaming\Microsoft\Windows

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Start Menu
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData\Roaming\Microsoft\Windows\Start Menu

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Programs
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> System Restore
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
10/11/2011 05:35 PM 649 System Restore.lnk.vir
10/11/2011 05:35 PM 721 Uninstall System Restore.lnk.vir
2 File(s) 1,370 bytes

Directory of c:\QooBox\Quarantine\C\Users\Lisa

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Documents
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Lisa\Documents

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
05/04/2010 06:23 AM 10,434 ~WRL0003.tmp.vir
05/11/2010 06:09 AM 11,353 ~WRL0004.tmp.vir
05/12/2010 06:19 AM 11,552 ~WRL0005.tmp.vir
3 File(s) 33,339 bytes

Directory of c:\QooBox\Quarantine\C\Users\Samuel

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> AppData
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Samuel\AppData

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> Roaming
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Samuel\AppData\Roaming

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
12/18/2011 05:38 AM <DIR> .#
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Users\Samuel\AppData\Roaming\.#

12/18/2011 05:38 AM <DIR> .
12/18/2011 05:38 AM <DIR> ..
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Windows

12/18/2011 05:01 AM <DIR> .
12/18/2011 05:01 AM <DIR> ..
12/18/2011 05:01 AM <DIR> $NtUninstallKB59234$
0 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Windows\$NtUninstallKB59234$

12/18/2011 05:01 AM <DIR> .
12/18/2011 05:01 AM <DIR> ..
12/13/2011 04:14 PM <SYMLINK> 1350081819.vir [c:\windows\system32\config]
12/18/2011 05:01 AM <DIR> 2853653877
1 File(s) 0 bytes

Directory of c:\QooBox\Quarantine\C\Windows\$NtUninstallKB59234$\2853653877

12/18/2011 05:01 AM <DIR> .
12/18/2011 05:01 AM <DIR> ..
12/13/2011 04:15 PM 2,048 @.vir
12/18/2011 05:01 AM 852 bckfg.tmp.vir
12/17/2011 01:55 PM 208 cfg.ini.vir
12/17/2011 09:51 AM 4,608 Desktop.ini.vir
12/17/2011 04:10 PM 261 keywords.vir
12/17/2011 09:51 AM 223,744 kwrd.dll.vir
12/18/2011 05:01 AM <DIR> L
12/17/2011 01:55 PM 5,176 lsflt7.ver.vir
12/18/2011 05:01 AM <DIR> U
7 File(s) 236,897 bytes

Directory of c:\QooBox\Quarantine\C\Windows\$NtUninstallKB59234$\2853653877\L

12/18/2011 05:01 AM <DIR> .
12/18/2011 05:01 AM <DIR> ..
12/13/2011 04:15 PM 273,408 qnbwvoto.vir
1 File(s) 273,408 bytes

Directory of c:\QooBox\Quarantine\C\Windows\$NtUninstallKB59234$\2853653877\U

12/18/2011 05:01 AM <DIR> .
12/18/2011 05:01 AM <DIR> ..
12/16/2011 08:24 AM 2,048 00000001.@.vir
12/13/2011 04:16 PM 224,768 00000002.@.vir
12/13/2011 04:16 PM 1,024 00000004.@.vir
12/13/2011 04:16 PM 1,024 80000000.@.vir
12/13/2011 04:16 PM 12,800 80000004.@.vir
12/16/2011 08:24 AM 98,304 80000032.@.vir
6 File(s) 339,968 bytes

Directory of c:\QooBox\Quarantine\Registry_backups

12/18/2011 05:44 AM <DIR> .
12/18/2011 05:44 AM <DIR> ..
12/18/2011 05:44 AM 1,294 AddRemove-_{53A908D4-99C6-469B-BC13-F4189F260742}.reg.dat
12/18/2011 05:43 AM 152 HKCU-Run-sjinrxjq.reg.dat
12/18/2011 05:43 AM 103 HKLM-Run-eRecoveryService.reg.dat
12/18/2011 05:43 AM 2,001 ShellIconOverlayIdentifiers-{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}.reg.dat
12/18/2011 05:32 AM 4,006 tcpip.reg
5 File(s) 7,556 bytes

Total Files Listed:
29 File(s) 900,743 bytes
75 Dir(s) 21,696,704,512 bytes free

========= End of CMD: =========


==== End of Fixlog ====

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,828 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:11 PM

Posted 20 December 2011 - 06:10 PM

There is nothing in those reports that may indicate a problem in your profile. Combofix only removed bad files and folders. Perhaps a coincidence, but I don't believe the issue was due to Combofix.

I requested before that while logged under your profile in Safe Mode, run MSconfig and deselect all non-Windows services. This time around, deselect all items in the Startup tab and attempt to boot in Normal mode. Let me know if the BSOD error persists.

The minidump involves a file, raspptp.sys, but I don't see how would this file may cause this problem. Try the above and let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 egerren

egerren
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 20 December 2011 - 08:31 PM

Well, I'm on my profile! This is certainly encouraging!
There were several startup services that I didn't disable, because I was worried they would mess something up. The ones I did disable were:
Adobe Acrobat
Google Desktop
iTunes
Quicktime
GoogleToolbarNotifier
RealPlayer
Adobe Gamma Loader
Microsoft Office OneNote
Orion

Could the problem possibly be in one of these, or somewhere else?
Thank you so much for your help, this is hugely encouraging!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users