Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Endpoint Protection Routinely Disabled & Strange Behavior.


  • Please log in to reply
45 replies to this topic

#1 mcclune

mcclune

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 22 March 2013 - 05:28 PM

Greetings good samaritans of BC.com.

 

Thanks in advance for the assistance and I'm always eager to use paypal to remunerate service providers.

 

I have had increasingly strange PC behavior for a few weeks and most recently my Symantec Endpoint keeps having the Proactive Threat Detection shut down.  Yesterday the first tangible sign occurred when Firefox kept opening a new browser (at least a dozen at a time). I reinstalled SEP from the original disc and downloaded MBAM which found Broken.OpenCommand x2, PUM.Hijack.StartMenu x6 altho I did manually delete many on Wednesday,  one PUM.Hijack.TaskManager and one Hijack.Userinit.

 

Niether MBAM, SEP nor Spybot caught anything this morning but the PC is freezing up and not at all normal. Below is the Hijack This log.

 

Any ideas?

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:37 PM, on 3/22/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\McClunacy\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\McClunacy\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080116
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\McClunacy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MusicManager] "C:\Documents and Settings\McClunacy\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe"
O4 - HKCU\..\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [F.lux] "C:\Documents and Settings\McClunacy\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Adobe Reader Synchronizer] "C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [KodakHomeCenter] "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [KodakHomeCenter] "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" (User 'Default user')
O4 - S-1-5-18 Startup: EvernoteClipper.lnk = C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: EvernoteClipper.lnk = C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (User 'Default user')
O4 - Startup: EvernoteClipper.lnk = C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Clip selection - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
O8 - Extra context menu item: Clip this page - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
O8 - Extra context menu item: Clip URL - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: New Note - C:\Program Files\Evernote\Evernote\\EvernoteIERes\NewNote.html
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.html
O9 - Extra 'Tools' menuitem: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {682C59F5-478C-4421-9070-AD170D143B77} - http://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1357759983015
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} (Java Plug-in 1.6.0_18) -
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) -
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} (Java Plug-in 1.6.0_21) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo System Service (ioloSystemService) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 16532 bytes
 



BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:54 AM

Posted 26 March 2013 - 03:39 PM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 


Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.
 


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 26 March 2013 - 05:26 PM

Combofix log below. Other than a PEV.exe application error in the beginning, all went smoothly and quickly.

 

ComboFix 13-03-26.01 - McClunacy 03/26/2013  15:11:30.5.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2046.1409 [GMT -7:00]
Running from: c:\documents and settings\McClunacy\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\BAAAFDE8BC.sys
c:\documents and settings\All Users\Application Data\DragToDiscUserNameE.txt
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\1abc6cc6-7642-443e-ad9d-336734fd2832.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\2d5007b2-cc36-4b97-a231-d0c427a69035.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\3d9332d1-0b48-40cc-9189-068cf64600b6.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\69eaa8a4-3131-4718-aad0-994ebde678d1.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\d4ffe1c0-8021-4dfa-bf52-cb9224f001ce.dll
c:\documents and settings\All Users\Application Data\PCDr\6032\AddOnDownloaded\e238f8f5-5f0a-478f-b96a-d15f6f6cac94.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\documents and settings\McClunacy\g2mdlhlpx.exe
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-26 to 2013-03-26  )))))))))))))))))))))))))))))))
.
.
2013-03-26 16:37 . 2013-03-26 16:38    --------    d-----w-    c:\documents and settings\McClunacy\dwhelper
2013-03-23 01:56 . 2013-03-23 04:22    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-03-23 01:56 . 2012-12-14 23:49    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-03-21 00:43 . 2007-12-19 02:06    91008    ----a-w-    c:\windows\system32\drivers\SysPlant.sys
2013-03-21 00:43 . 2013-03-21 00:43    60808    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2013-03-21 00:43 . 2013-03-21 00:43    136496    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-03-20 20:45 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023x.sys
2013-03-20 20:45 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023.sys
2013-03-12 14:27 . 2013-03-12 14:27    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-03-11 17:33 . 2013-03-12 00:42    --------    d-----w-    c:\program files\Mozilla Thunderbird
2013-03-05 19:34 . 2013-03-05 19:34    --------    d-----w-    c:\documents and settings\LocalService\Application Data\KODAK AiO Home Center697515902
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 17:52 . 2012-04-02 17:35    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-13 17:52 . 2011-08-11 23:01    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-12 14:27 . 2012-03-09 04:15    143872    ----a-w-    c:\windows\system32\javacpl.cpl
2013-03-12 14:27 . 2010-04-29 19:57    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-02-28 19:16 . 2008-04-09 20:30    1682    --sha-w-    c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2013-02-26 15:30 . 2012-10-07 00:30    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-02-12 00:32 . 2008-09-12 18:11    12928    ------w-    c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-10 18:51    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2004-08-10 18:51    916480    ----a-w-    c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2004-08-10 18:51    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2004-08-10 18:51    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2004-08-10 18:51    385024    ------w-    c:\windows\system32\html.iec
2013-01-26 03:55 . 2004-08-10 18:51    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-07 01:19 . 2004-08-10 18:51    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2004-08-04 04:59    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-10 18:51    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-10 18:51    1292288    ----a-w-    c:\windows\system32\quartz.dll
2013-01-02 06:49 . 2004-08-10 18:51    148992    ----a-w-    c:\windows\system32\mpg2splt.ax
2007-08-15 23:43 . 2008-04-25 19:56    17488    -c----w-    c:\program files\Autoplay.exe
2012-05-31 16:55 . 2013-03-08 05:37    302904    ----a-w-    c:\program files\mozilla firefox\plugins\ieatgpc.dll
2013-03-08 05:37 . 2013-03-08 05:36    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\McClunacy\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\McClunacy\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\McClunacy\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ----a-w-    c:\documents and settings\McClunacy\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-03-07 23:31    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-03-07 23:31    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-03-07 23:31    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-03-07 23:31    576976    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MusicManager"="c:\documents and settings\McClunacy\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2013-01-14 7437824]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-03-07 19357112]
"F.lux"="c:\documents and settings\McClunacy\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"Akamai NetSession Interface"="c:\documents and settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-01-26 4480768]
"Adobe Reader Synchronizer"="c:\program files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe" [2012-12-18 689896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-06-17 2510848]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2012-10-19 2235840]
.
c:\documents and settings\McClunacy\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2013-3-2 1086816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-1-16 7168]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-13 291896]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-11-05 15:47    92072    ----a-w-    c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk /p \??\f:\0???\0?Ý
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
2009-08-24 17:20    331776    ------w-    c:\program files\ACT\Act for Windows\ActSage.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
2009-08-24 17:09    28672    ------w-    c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-30 02:06    1263512    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
2007-03-06 17:21    116224    ------w-    c:\program files\eFax Messenger 4.3\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2011-06-17 01:53    2510848    ------w-    c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TeamViewer6"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Documents and Settings\\McClunacy\\Application Data\\Dropbox\\bin\\dropbox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\McClunacy\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"50000:UDP"= 50000:UDP:IHA_MessageCenter
"9322:TCP"= 9322:TCP:EKDiscovery
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/2/2010 8:41 AM 116608]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [1/27/2012 7:02 PM 1053184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [8/17/2012 1:28 PM 68464]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/23/2012 10:23 AM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/23/2012 10:23 AM 1369624]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 11:01 PM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/13/2011 11:01 PM 399416]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/20/2013 5:50 PM 106656]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [3/22/2013 6:56 PM 398184]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/22/2013 6:56 PM 682344]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [11/23/2012 10:23 AM 168384]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/22/2013 6:56 PM 21104]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [6/3/2009 11:01 AM 174720]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/18/2008 9:24 PM 47360]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [8/24/2009 10:22 AM 81920]
S4 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 12:03 PM 290832]
S4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [10/19/2012 3:51 PM 395200]
S4 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [10/15/2012 12:58 PM 779200]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374704]
S4 TBKService7;TBKService7;c:\progra~1\FILEST~1\TURBOB~1\TBKService7.exe [6/2/2011 3:45 PM 57344]
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 17:53]
.
2013-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2013-03-26 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-11-23 22:08]
.
2013-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-31 15:32]
.
2013-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-31 15:32]
.
2013-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3003466951-3774543392-1737223591-1006Core.job
- c:\documents and settings\McClunacy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 20:12]
.
2013-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3003466951-3774543392-1737223591-1006UA.job
- c:\documents and settings\McClunacy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 20:12]
.
2013-03-11 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2013-02-06 01:39]
.
2013-03-20 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-23 22:07]
.
2012-11-23 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-23 22:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: Clip selection - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: New Note - c:\program files\Evernote\Evernote\\EvernoteIERes\NewNote.html
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\McClunacy\Application Data\Mozilla\Firefox\Profiles\6er0256f.default-1363843637046\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - ExtSQL: 2013-03-07 21:37; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-03-21 13:13; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\McClunacy\Application Data\Mozilla\Firefox\Profiles\6er0256f.default-1363843637046\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-03-21 22:45; adblockpopups@jessehakanen.net; c:\documents and settings\McClunacy\Application Data\Mozilla\Firefox\Profiles\6er0256f.default-1363843637046\extensions\adblockpopups@jessehakanen.net.xpi
FF - ExtSQL: 2013-03-26 09:33; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\documents and settings\McClunacy\Application Data\Mozilla\Firefox\Profiles\6er0256f.default-1363843637046\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-03-26 13:13; {65e41d20-f092-41b7-bb83-c6e8a9ab0f57}; c:\documents and settings\McClunacy\Application Data\Mozilla\Firefox\Profiles\6er0256f.default-1363843637046\extensions\{65e41d20-f092-41b7-bb83-c6e8a9ab0f57}.xpi
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
Notify-!SASWinLogon - (no file)
Notify-GoToMyPC - (no file)
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-Symantec Antvirus
AddRemove-Stamps.com support for Microsoft Word 2000-2007 - c:\documents and settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-26 15:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1104)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2013-03-26  15:22:20
ComboFix-quarantined-files.txt  2013-03-26 22:22
.
Pre-Run: 170,954,248,192 bytes free
Post-Run: 171,408,408,576 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 75CD95E57998F45AC550449D26770AA0
 



#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:54 AM

Posted 27 March 2013 - 12:57 AM

Hey mcclune,

 

Thank you for the log.

 

Please download to the Desktop (by tigzy).

  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 27 March 2013 - 01:27 AM

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : McClunacy [Admin rights]
Mode : Scan -- Date : 03/26/2013 23:25:51
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Documents and Settings\McClunacy\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe") [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3003466951-3774543392-1737223591-1006[...]\Run : MusicManager ("C:\Documents and Settings\McClunacy\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe") [-] -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x89C5B4E8)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x89C62880)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x89D6FF38)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x89C7D268)
SSDT[43] : NtCreateMutant @ 0x80617718 -> HOOKED (Unknown @ 0x89C4D518)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x89C61458)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x89D3C550)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x89C4D5E8)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x89A692F0)
SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (Unknown @ 0x89D2AD20)
SSDT[114] : NtOpenEvent @ 0x8060F0D6 -> HOOKED (Unknown @ 0x89C4D458)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x89C55E38)
SSDT[129] : NtOpenThreadToken @ 0x805EDF44 -> HOOKED (Unknown @ 0x89C5B568)
SSDT[143] : NtQueryDefaultLocale @ 0x80610D80 -> HOOKED (SysPlant.sys @ 0xB9D4F7B0)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x89D107B0)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x89D6CF00)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x89C62900)
SSDT[229] : NtSetInformationThread @ 0x805CC124 -> HOOKED (Unknown @ 0x89CE1BB0)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x89C4D420)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x89C7DAF0)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x89D10BC0)
SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x89D3C518)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x89D6FF00)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x89D6CF38)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x88475C98)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD321KJ +++++
--- User ---
[MBR] 24de6bc58bbf2e8785c01a44ecaf56bd
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 305180 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03262013_02d2325.txt >>
RKreport[1]_S_03262013_02d2325.txt

 



#6 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 27 March 2013 - 01:35 PM

Dark Knight,

 

You might be interested to know the SONAR component of my Symantec Endpoint Protection keeps failing (prompts me to send error report, etc.) which turns off the Proactive Threat Protection component of SEP.  Sometimes I run the LiveUpdate which fixes the problem but mostly LiveUpdate runs and still does not fix the Proactive Threat Protection status.



#7 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:54 AM

Posted 27 March 2013 - 03:35 PM

Hello mcclune,


  • Please re-run RogueKiller.
  • Click on the Delete button.
  • The report has been created on the Desktop. Please post it in your reply.

 

=====

 

Also, please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.


Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

 

=====

 

In your reply please provide the log from RogueKiller and both MBAM logs.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#8 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 27 March 2013 - 04:21 PM

DK,

 

I ran Rogue Killer and clicked on Delete. Then I ran MBAR which found nothing.  And I disabled Symantec Endpoint before running both.

 

 

1. RogueKiller Log

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : McClunacy [Admin rights]
Mode : Remove -- Date : 03/27/2013 14:02:00
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Documents and Settings\McClunacy\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe") [-] -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x89C5B4E8)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x89C62880)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x89D6FF38)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x89C7D268)
SSDT[43] : NtCreateMutant @ 0x80617718 -> HOOKED (Unknown @ 0x89C4D518)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x89C61458)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x89D3C550)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x89C4D5E8)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x89A692F0)
SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (Unknown @ 0x89D2AD20)
SSDT[114] : NtOpenEvent @ 0x8060F0D6 -> HOOKED (Unknown @ 0x89C4D458)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x89C55E38)
SSDT[129] : NtOpenThreadToken @ 0x805EDF44 -> HOOKED (Unknown @ 0x89C5B568)
SSDT[143] : NtQueryDefaultLocale @ 0x80610D80 -> HOOKED (SysPlant.sys @ 0xB9D4F7B0)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x89D107B0)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x89D6CF00)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x89C62900)
SSDT[229] : NtSetInformationThread @ 0x805CC124 -> HOOKED (Unknown @ 0x89CE1BB0)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x89C4D420)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x89C7DAF0)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x89D10BC0)
SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x89D3C518)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x89D6FF00)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x89D6CF38)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x88475C98)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD321KJ +++++
--- User ---
[MBR] 24de6bc58bbf2e8785c01a44ecaf56bd
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 305180 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_03272013_02d1402.txt >>
RKreport[1]_S_03262013_02d2325.txt ; RKreport[2]_S_03272013_02d1401.txt ; RKreport[3]_D_03272013_02d1402.txt

 

 

2. MBAR LOG

 

 

Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.27.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
McClunacy :: MCPC [administrator]

3/27/2013 2:16:11 PM
mbar-log-2013-03-27 (14-16-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28783
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



 


Edited by mcclune, 27 March 2013 - 04:23 PM.


#9 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:54 AM

Posted 28 March 2013 - 07:02 AM

Hey mcclune,

 

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your Desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress).
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in .
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#10 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 28 March 2013 - 01:58 PM

GMER log is posted below. Interesting thing of note is upon bootup this morning I got a DOS window prompt that read CMD.exe. Very quick, lasted a second or two. Nothing seemed to happen after but I've never seen it before.

 

To clarify I had the GMER application checked on Quick Scan and did not have the C:/ checked.


The GMER log is too long to post in one reply. I will break it up into more than one but I have attached the .log file to this reply.

 

GMER 2.1.19155 - http://www.gmer.net
Rootkit scan 2013-03-28 11:48:32
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD321KJ rev.CP100-12 298.09GB
Running: 1kbjj1n5.exe; Driver: C:\DOCUME~1\MCCLUN~1\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 2.1 ----

SSDT            8A8C9398                                                                                                                                ZwAlertResumeThread
SSDT            8A808F20                                                                                                                                ZwAlertThread
SSDT            89A79F30                                                                                                                                ZwAllocateVirtualMemory
SSDT            89D3EE98                                                                                                                                ZwConnectPort
SSDT            89C90FC0                                                                                                                                ZwCreateMutant
SSDT            89A6FE18                                                                                                                                ZwCreateThread
SSDT            8A8EB5F0                                                                                                                                ZwFreeVirtualMemory
SSDT            8A90CCA8                                                                                                                                ZwImpersonateAnonymousToken
SSDT            8A90A650                                                                                                                                ZwImpersonateThread
SSDT            8A8EB550                                                                                                                                ZwMapViewOfSection
SSDT            8A8E76B8                                                                                                                                ZwOpenEvent
SSDT            8A80ABA0                                                                                                                                ZwOpenProcessToken
SSDT            89CEEBE0                                                                                                                                ZwOpenThreadToken
SSDT            \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys                                                                                            ZwProtectVirtualMemory [0xB62CF280]
SSDT            SysPlant.sys                                                                                                                            ZwQueryDefaultLocale [0xB9D4F7B0]
SSDT            89CDF1E8                                                                                                                                ZwResumeThread
SSDT            8A91D280                                                                                                                                ZwSetContextThread
SSDT            89F1E2B8                                                                                                                                ZwSetInformationProcess
SSDT            89CEEB08                                                                                                                                ZwSetInformationThread
SSDT            8A872D68                                                                                                                                ZwSuspendProcess
SSDT            8A9087A0                                                                                                                                ZwSuspendThread
SSDT            89F26208                                                                                                                                ZwTerminateProcess
SSDT            8A93AA58                                                                                                                                ZwTerminateThread
SSDT            8A8C3D10                                                                                                                                ZwUnmapViewOfSection
SSDT            89C70348                                                                                                                                ZwWriteVirtualMemory

---- Kernel code sections - GMER 2.1 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2F14                                                                                                    8050480C 4 Bytes  CALL BCDA1602
.text           ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel + B5D                                                                           805416B5 5 Bytes  JMP B9D50BB0 SysPlant.sys
.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                                section is writeable [0xB965F360, 0x307AC7, 0xE8000020]

---- User code sections - GMER 2.1 ----

Attached File  gmer.log   128.21KB   0 downloads


Edited by mcclune, 28 March 2013 - 02:04 PM.


#11 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 28 March 2013 - 02:02 PM

---- User code sections - GMER 2.1 ----

.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtCreateFile + 5                                                                   7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtCreateKey + 5                                                                    7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtCreateThread + 5                                                                 7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtDeleteFile + 5                                                                   7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtDeleteValueKey + 5                                                               7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtMapViewOfSection + 5                                                             7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtOpenFile + 5                                                                     7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtOpenKey + 5                                                                      7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtRenameKey + 5                                                                    7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtSetInformationFile + 5                                                           7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtSetValueKey + 5                                                                  7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\PSIA.exe[160] ntdll.dll!NtTerminateProcess + 5                                                             7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtCreateFile + 5                              7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtCreateKey + 5                               7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtCreateThread + 5                            7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtDeleteFile + 5                              7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtDeleteValueKey + 5                          7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtMapViewOfSection + 5                        7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtOpenFile + 5                                7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtOpenKey + 5                                 7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtRenameKey + 5                               7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtSetInformationFile + 5                      7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtSetValueKey + 5                             7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[264] ntdll.dll!NtTerminateProcess + 5                        7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtCreateFile + 5                                         7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtCreateKey + 5                                          7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtCreateThread + 5                                       7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtDeleteFile + 5                                         7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtDeleteValueKey + 5                                     7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtMapViewOfSection + 5                                   7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtOpenFile + 5                                           7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtOpenKey + 5                                            7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtRenameKey + 5                                          7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtSetInformationFile + 5                                 7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtSetValueKey + 5                                        7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[292] ntdll.dll!NtTerminateProcess + 5                                   7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtCreateFile + 5                                                     7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtCreateKey + 5                                                      7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtCreateThread + 5                                                   7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtDeleteFile + 5                                                     7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtDeleteValueKey + 5                                                 7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtMapViewOfSection + 5                                               7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtOpenFile + 5                                                       7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtOpenKey + 5                                                        7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtRenameKey + 5                                                      7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtSetInformationFile + 5                                             7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtSetValueKey + 5                                                    7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Dell Network Assistant\hnm_svc.exe[388] ntdll.dll!NtTerminateProcess + 5                                               7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtCreateFile + 5                                                                         7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtCreateKey + 5                                                                          7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtCreateThread + 5                                                                       7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtDeleteFile + 5                                                                         7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtDeleteValueKey + 5                                                                     7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtMapViewOfSection + 5                                                                   7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtOpenFile + 5                                                                           7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtOpenKey + 5                                                                            7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtRenameKey + 5                                                                          7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtSetInformationFile + 5                                                                 7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtSetValueKey + 5                                                                        7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\spoolsv.exe[540] ntdll.dll!NtTerminateProcess + 5                                                                   7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtCreateFile + 5                                                                  7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtCreateKey + 5                                                                   7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtCreateThread + 5                                                                7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtDeleteFile + 5                                                                  7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtDeleteValueKey + 5                                                              7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtMapViewOfSection + 5                                                            7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtOpenFile + 5                                                                    7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtOpenKey + 5                                                                     7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtRenameKey + 5                                                                   7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtSetInformationFile + 5                                                          7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtSetValueKey + 5                                                                 7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Java\jre7\bin\jqs.exe[660] ntdll.dll!NtTerminateProcess + 5                                                            7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtCreateFile + 5                                                              7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtCreateKey + 5                                                               7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtCreateThread + 5                                                            7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtDeleteFile + 5                                                              7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtDeleteValueKey + 5                                                          7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtMapViewOfSection + 5                                                        7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtOpenFile + 5                                                                7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtOpenKey + 5                                                                 7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtRenameKey + 5                                                               7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtSetInformationFile + 5                                                      7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtSetValueKey + 5                                                             7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Bonjour\mDNSResponder.exe[696] ntdll.dll!NtTerminateProcess + 5                                                        7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtCreateFile + 5                                 7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtCreateKey + 5                                  7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtCreateThread + 5                               7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtDeleteFile + 5                                 7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtDeleteValueKey + 5                             7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtMapViewOfSection + 5                           7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtOpenFile + 5                                   7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtOpenKey + 5                                    7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtRenameKey + 5                                  7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtSetInformationFile + 5                         7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtSetValueKey + 5                                7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[720] ntdll.dll!NtTerminateProcess + 5                           7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtCreateFile + 5                  7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtCreateKey + 5                   7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtCreateThread + 5                7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtDeleteFile + 5                  7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtDeleteValueKey + 5              7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtMapViewOfSection + 5            7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtOpenFile + 5                    7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtOpenKey + 5                     7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtRenameKey + 5                   7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtSetInformationFile + 5          7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtSetValueKey + 5                 7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[736] ntdll.dll!NtTerminateProcess + 5            7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtCreateFile + 5                                                 7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtCreateKey + 5                                                  7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtCreateThread + 5                                               7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtDeleteFile + 5                                                 7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtDeleteValueKey + 5                                             7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtMapViewOfSection + 5                                           7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtOpenFile + 5                                                   7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtOpenKey + 5                                                    7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtRenameKey + 5                                                  7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtSetInformationFile + 5                                         7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtSetValueKey + 5                                                7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[748] ntdll.dll!NtTerminateProcess + 5                                           7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtCreateFile + 5                                     7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtCreateKey + 5                                      7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtCreateThread + 5                                   7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtDeleteFile + 5                                     7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtDeleteValueKey + 5                                 7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtMapViewOfSection + 5                               7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtOpenFile + 5                                       7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtOpenKey + 5                                        7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtRenameKey + 5                                      7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtSetInformationFile + 5                             7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtSetValueKey + 5                                    7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[892] ntdll.dll!NtTerminateProcess + 5                               7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtCreateFile + 5                                   7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtCreateKey + 5                                    7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtCreateThread + 5                                 7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtDeleteFile + 5                                   7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtDeleteValueKey + 5                               7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtMapViewOfSection + 5                             7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtOpenFile + 5                                     7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtOpenKey + 5                                      7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtRenameKey + 5                                    7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtSetInformationFile + 5                           7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtSetValueKey + 5                                  7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[952] ntdll.dll!NtTerminateProcess + 5                             7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtCreateFile + 5                                                                       7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtCreateKey + 5                                                                        7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtCreateThread + 5                                                                     7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtDeleteFile + 5                                                                       7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtDeleteValueKey + 5                                                                   7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtMapViewOfSection + 5                                                                 7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtOpenFile + 5                                                                         7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtOpenKey + 5                                                                          7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtRenameKey + 5                                                                        7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtSetInformationFile + 5                                                               7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtSetValueKey + 5                                                                      7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\services.exe[1140] ntdll.dll!NtTerminateProcess + 5                                                                 7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtCreateFile + 5                                                                          7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtCreateKey + 5                                                                           7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtCreateThread + 5                                                                        7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtDeleteFile + 5                                                                          7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtDeleteValueKey + 5                                                                      7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtMapViewOfSection + 5                                                                    7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtOpenFile + 5                                                                            7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtOpenKey + 5                                                                             7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtRenameKey + 5                                                                           7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtSetInformationFile + 5                                                                  7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtSetValueKey + 5                                                                         7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!NtTerminateProcess + 5                                                                    7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtCreateFile + 5                                         7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtCreateKey + 5                                          7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtCreateThread + 5                                       7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtDeleteFile + 5                                         7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtDeleteValueKey + 5                                     7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtMapViewOfSection + 5                                   7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtOpenFile + 5                                           7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtOpenKey + 5                                            7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtRenameKey + 5                                          7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtSetInformationFile + 5                                 7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtSetValueKey + 5                                        7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1696] ntdll.dll!NtTerminateProcess + 5



.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\nvsvc32.exe[1804] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtCreateFile + 5                                                                  7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtCreateKey + 5                                                                   7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtCreateThread + 5                                                                7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtDeleteFile + 5                                                                  7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtDeleteValueKey + 5                                                              7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtMapViewOfSection + 5                                                            7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtOpenFile + 5                                                                    7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtOpenKey + 5                                                                     7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtRenameKey + 5                                                                   7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtSetInformationFile + 5                                                          7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtSetValueKey + 5                                                                 7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] ntdll.dll!NtTerminateProcess + 5                                                            7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[1808] kernel32.dll!WriteFile                                                                      7C8112FF 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtCreateFile + 5                                                          7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtCreateKey + 5                                                           7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtCreateThread + 5                                                        7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtDeleteFile + 5                                                          7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtDeleteValueKey + 5                                                      7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtMapViewOfSection + 5                                                    7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtOpenFile + 5                                                            7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtOpenKey + 5                                                             7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtRenameKey + 5                                                           7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtSetInformationFile + 5                                                  7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtSetValueKey + 5                                                         7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1832] ntdll.dll!NtTerminateProcess + 5                                                    7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtCreateFile + 5                                                                                 7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtCreateKey + 5                                                                                  7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtCreateThread + 5                                                                               7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtDeleteFile + 5                                                                                 7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtDeleteValueKey + 5                                                                             7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtMapViewOfSection + 5                                                                           7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtOpenFile + 5                                                                                   7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtOpenKey + 5                                                                                    7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtRenameKey + 5                                                                                  7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtSetInformationFile + 5                                                                         7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtSetValueKey + 5                                                                                7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\RTHDCPL.EXE[1916] ntdll.dll!NtTerminateProcess + 5                                                                           7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtCreateFile + 5                                             7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtCreateKey + 5                                              7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtCreateThread + 5                                           7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtDeleteFile + 5                                             7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtDeleteValueKey + 5                                         7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtMapViewOfSection + 5                                       7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtOpenFile + 5                                               7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtOpenKey + 5                                                7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtRenameKey + 5                                              7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtSetInformationFile + 5                                     7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtSetValueKey + 5                                            7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[2044] ntdll.dll!NtTerminateProcess + 5                                       7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtCreateFile + 5                                         7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtCreateKey + 5                                          7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtCreateThread + 5                                       7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtDeleteFile + 5                                         7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtDeleteValueKey + 5                                     7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtMapViewOfSection + 5                                   7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtOpenFile + 5                                           7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtOpenKey + 5                                            7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtRenameKey + 5                                          7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtSetInformationFile + 5                                 7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtSetValueKey + 5                                        7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2144] ntdll.dll!NtTerminateProcess + 5                                   7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtCreateFile + 5                                          7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtCreateKey + 5                                           7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtCreateThread + 5                                        7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtDeleteFile + 5                                          7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtDeleteValueKey + 5                                      7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtMapViewOfSection + 5                                    7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtOpenFile + 5                                            7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtOpenKey + 5                                             7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtRenameKey + 5                                           7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtSetInformationFile + 5                                  7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtSetValueKey + 5                                         7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2204] ntdll.dll!NtTerminateProcess + 5                                    7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[2220] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtCreateFile + 5                                     7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtCreateKey + 5                                      7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtCreateThread + 5                                   7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtDeleteFile + 5                                     7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtDeleteValueKey + 5                                 7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtMapViewOfSection + 5                               7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtOpenFile + 5                                       7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtOpenKey + 5                                        7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtRenameKey + 5                                      7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtSetInformationFile + 5                             7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtSetValueKey + 5                                    7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[2256] ntdll.dll!NtTerminateProcess + 5                               7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtCreateFile + 5                                              7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtCreateKey + 5                                               7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtCreateThread + 5                                            7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtDeleteFile + 5                                              7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtDeleteValueKey + 5                                          7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtMapViewOfSection + 5                                        7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtOpenFile + 5                                                7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtOpenKey + 5                                                 7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtRenameKey + 5                                               7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtSetInformationFile + 5                                      7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtSetValueKey + 5                                             7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2336] ntdll.dll!NtTerminateProcess + 5                                        7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtCreateFile + 5                                               7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtCreateKey + 5                                                7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtCreateThread + 5                                             7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtDeleteFile + 5                                               7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtDeleteValueKey + 5                                           7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtMapViewOfSection + 5                                         7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtOpenFile + 5                                                 7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtOpenKey + 5                                                  7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtRenameKey + 5                                                7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtSetInformationFile + 5                                       7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtSetValueKey + 5                                              7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[2456] ntdll.dll!NtTerminateProcess + 5                                         7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtCreateFile + 5                                                                   7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtCreateKey + 5                                                                    7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtCreateThread + 5                                                                 7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtDeleteFile + 5                                                                   7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtDeleteValueKey + 5                                                               7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtMapViewOfSection + 5                                                             7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtOpenFile + 5                                                                     7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtOpenKey + 5                                                                      7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtRenameKey + 5                                                                    7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtSetInformationFile + 5                                                           7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtSetValueKey + 5                                                                  7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Secunia\PSI\sua.exe[2876] ntdll.dll!NtTerminateProcess + 5                                                             7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtCreateFile + 5          7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtCreateKey + 5           7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtCreateThread + 5        7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtDeleteFile + 5          7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtDeleteValueKey + 5      7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtMapViewOfSection + 5    7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtOpenFile + 5            7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtOpenKey + 5             7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtRenameKey + 5           7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtSetInformationFile + 5  7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtSetValueKey + 5         7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[3104] ntdll.dll!NtTerminateProcess + 5    7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtCreateFile + 5                                                                                7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtCreateKey + 5                                                                                 7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtCreateThread + 5                                                                              7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtDeleteFile + 5                                                                                7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtDeleteValueKey + 5                                                                            7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtMapViewOfSection + 5                                                                          7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtOpenFile + 5                                                                                  7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtOpenKey + 5                                                                                   7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtRenameKey + 5                                                                                 7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtSetInformationFile + 5                                                                        7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtSetValueKey + 5                                                                               7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\Explorer.EXE[3444] ntdll.dll!NtTerminateProcess + 5                                                                          7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtCreateFile + 5                                               7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtCreateKey + 5                                                7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtCreateThread + 5                                             7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtDeleteFile + 5                                               7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtDeleteValueKey + 5                                           7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtMapViewOfSection + 5                                         7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtOpenFile + 5                                                 7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtOpenKey + 5                                                  7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtRenameKey + 5                                                7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtSetInformationFile + 5                                       7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtSetValueKey + 5                                              7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Desktop\1kbjj1n5.exe[3448] ntdll.dll!NtTerminateProcess + 5                                         7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtCreateFile + 5                                                   7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtCreateKey + 5                                                    7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtCreateThread + 5                                                 7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtDeleteFile + 5                                                   7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtDeleteValueKey + 5                                               7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtMapViewOfSection + 5                                             7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtOpenFile + 5                                                     7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtOpenKey + 5                                                      7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtRenameKey + 5                                                    7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtSetInformationFile + 5                                           7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtSetValueKey + 5                                                  7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3592] ntdll.dll!NtTerminateProcess + 5



.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtCreateFile + 5                                                                            7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtCreateKey + 5                                                                             7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtCreateThread + 5                                                                          7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtDeleteFile + 5                                                                            7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtDeleteValueKey + 5                                                                        7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtMapViewOfSection + 5                                                                      7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtOpenFile + 5                                                                              7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtOpenKey + 5                                                                               7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtRenameKey + 5                                                                             7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtSetInformationFile + 5                                                                    7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtSetValueKey + 5                                                                           7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\System32\alg.exe[3600] ntdll.dll!NtTerminateProcess + 5                                                                      7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtCreateFile + 5                                      7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtCreateKey + 5                                       7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtCreateThread + 5                                    7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtDeleteFile + 5                                      7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtDeleteValueKey + 5                                  7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtMapViewOfSection + 5                                7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtOpenFile + 5                                        7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtOpenKey + 5                                         7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtRenameKey + 5                                       7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtSetInformationFile + 5                              7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtSetValueKey + 5                                     7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3820] ntdll.dll!NtTerminateProcess + 5                                7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtCreateFile + 5                                              7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtCreateKey + 5                                               7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtCreateThread + 5                                            7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtDeleteFile + 5                                              7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtDeleteValueKey + 5                                          7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtMapViewOfSection + 5                                        7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtOpenFile + 5                                                7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtOpenKey + 5                                                 7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtRenameKey + 5                                               7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtSetInformationFile + 5                                      7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtSetValueKey + 5                                             7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe[4020] ntdll.dll!NtTerminateProcess + 5                                        7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\svchost.exe[4104] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtCreateFile + 5                                             7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtCreateKey + 5                                              7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtCreateThread + 5                                           7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtDeleteFile + 5                                             7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtDeleteValueKey + 5                                         7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtMapViewOfSection + 5                                       7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtOpenFile + 5                                               7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtOpenKey + 5                                                7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtRenameKey + 5                                              7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtSetInformationFile + 5                                     7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtSetValueKey + 5                                            7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4304] ntdll.dll!NtTerminateProcess + 5                                       7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtCreateFile + 5                                                7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtCreateKey + 5                                                 7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtCreateThread + 5                                              7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtDeleteFile + 5                                                7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtDeleteValueKey + 5                                            7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtMapViewOfSection + 5                                          7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtOpenFile + 5                                                  7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtOpenKey + 5                                                   7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtRenameKey + 5                                                 7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtSetInformationFile + 5                                        7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtSetValueKey + 5                                               7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4468] ntdll.dll!NtTerminateProcess + 5                                          7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtCreateFile + 5                                              7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtCreateKey + 5                                               7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtCreateThread + 5                                            7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtDeleteFile + 5                                              7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtDeleteValueKey + 5                                          7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtMapViewOfSection + 5                                        7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtOpenFile + 5                                                7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtOpenKey + 5                                                 7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtRenameKey + 5                                               7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtSetInformationFile + 5                                      7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtSetValueKey + 5                                             7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[5368] ntdll.dll!NtTerminateProcess + 5                                        7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtCreateFile + 5                                                 7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtCreateKey + 5                                                  7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtCreateThread + 5                                               7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtDeleteFile + 5                                                 7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtDeleteValueKey + 5                                             7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtMapViewOfSection + 5                                           7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtOpenFile + 5                                                   7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtOpenKey + 5                                                    7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtRenameKey + 5                                                  7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtSetInformationFile + 5                                         7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtSetValueKey + 5                                                7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Evernote\Evernote\EvernoteClipper.exe[5404] ntdll.dll!NtTerminateProcess + 5                                           7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtCreateFile + 5                                                                        7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtCreateKey + 5                                                                         7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtCreateThread + 5                                                                      7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtDeleteFile + 5                                                                        7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtDeleteValueKey + 5                                                                    7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtMapViewOfSection + 5                                                                  7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtOpenFile + 5                                                                          7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtOpenKey + 5                                                                           7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtRenameKey + 5                                                                         7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtSetInformationFile + 5                                                                7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtSetValueKey + 5                                                                       7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\WINDOWS\system32\wscntfy.exe[5604] ntdll.dll!NtTerminateProcess + 5                                                                  7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtCreateFile + 5          7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtCreateKey + 5           7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtCreateThread + 5        7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtDeleteFile + 5          7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtDeleteValueKey + 5      7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtMapViewOfSection + 5    7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtOpenFile + 5            7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtOpenKey + 5             7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtRenameKey + 5           7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtSetInformationFile + 5  7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtSetValueKey + 5         7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Documents and Settings\McClunacy\Local Settings\Application Data\Akamai\netsession_win.exe[5732] ntdll.dll!NtTerminateProcess + 5    7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtCreateFile + 5                              7C90D0B3 5 Bytes  JMP 617752D0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtCreateKey + 5                               7C90D0F3 5 Bytes  JMP 6177530A C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtCreateThread + 5                            7C90D1B3 5 Bytes  JMP 61775344 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtDeleteFile + 5                              7C90D243 5 Bytes  JMP 6177537E C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtDeleteValueKey + 5                          7C90D273 5 Bytes  JMP 617753B8 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtMapViewOfSection + 5                        7C90D523 5 Bytes  JMP 617753F2 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtOpenFile + 5                                7C90D5A3 5 Bytes  JMP 6177542C C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtOpenKey + 5                                 7C90D5D3 5 Bytes  JMP 61775466 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtRenameKey + 5                               7C90DA63 5 Bytes  JMP 617754A0 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtSetInformationFile + 5                      7C90DC63 5 Bytes  JMP 617754DA C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtSetValueKey + 5                             7C90DDD3 5 Bytes  JMP 61775514 C:\WINDOWS\SYSTEM32\SYSFER.DLL
.text           C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[5740] ntdll.dll!NtTerminateProcess + 5                        7C90DE73 5 Bytes  JMP 6177554E C:\WINDOWS\SYSTEM32\SYSFER.DLL

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                wpsdrvnt.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                               SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                               wpsdrvnt.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                               SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                               wpsdrvnt.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                             SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                             wpsdrvnt.sys
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                fltmgr.sys

Device          \FileSystem\Cdfs \Cdfs                                                                                                                  B3750400

---- Registry - GMER 2.1 ----

Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\03E4A8BF51994184DA9F240ED0F9CDD3\Usage@Core         1115456248

---- EOF - GMER 2.1 ----
 



#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:54 AM

Posted 29 March 2013 - 04:58 PM

Hello mcclune,

 

One more.

 

Please also run this tool but do not be alarmed if it crashes as this has been known to occur on Windows 7.

Download and save it to your Desktop.

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.
Vista/Windows 7 users right-click and select Run As Administrator.

  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, Files, and Code Hooks.
  • UNcheck the rest, then click OK.
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
  • Wait until the scanner has finished then go File > Save Report.
  • Save the report somewhere you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

    Note: You may get the following warning---just ignore it, click OK and continue. Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 29 March 2013 - 05:36 PM

DK, no download link to the exe file. I looked around and other posts pointing to RKUnhookerLE.exe weren't working. Please provide good link. Thx.



#14 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:54 AM

Posted 31 March 2013 - 09:35 PM

Hey mcclune,

 

Let's try something else.

 

Please download the Sophos Virus Removal Tool and save it to your desktop:

  • Be sure to view the 3 short How-to videos on that page.
  • Double-click Sophos Virus Removal Tool.exe. The installation files will extract and the installer will automatically run.
  • Follow the prompts to accept the license agreement, and accept the default location.
  • A message will appear "InstallShield Wizard Completed".
  • Click 'Finish' to start the program.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug you Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • A log will be in the following location:
    • Vista and above: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
      --for 64-bit C:\Program Files (x86)\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
       
    • 2000/XP/Server 2003: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
  • Please post the log in your next reply.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#15 mcclune

mcclune
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 01 April 2013 - 02:51 PM

Alright Dark Knight...We found something!

 

Sophos Log:

 

2013-04-01 10:39:54    Sophos Virus Removal Tool version 2.3
2013-04-01 10:39:54    Copyright © 2009-2012 Sophos Limited. All rights reserved.

2013-04-01 10:39:54    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2013-04-01 10:39:54    Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
2013-04-01 10:39:54    Checking for updates...
2013-04-01 10:40:02    Option all = no
2013-04-01 10:40:02    Option recurse = yes
2013-04-01 10:40:02    Option archive = no
2013-04-01 10:40:02    Option service = yes
2013-04-01 10:40:02    Option confirm = yes
2013-04-01 10:40:02    Option sxl = yes
2013-04-01 10:40:02    Option max-data-age = 35
2013-04-01 10:40:02    Component SVRTcli.exe version 2.3
2013-04-01 10:40:02    Component control.dll version 2.3
2013-04-01 10:40:02    Component SVRTservice.exe version 2.3
2013-04-01 10:40:02    Component engine\osdp.dll version 1.44.0.2060
2013-04-01 10:40:02    Component engine\veex.dll version 3.41.0.2060
2013-04-01 10:40:02    Component engine\savi.dll version 7.5.11.2060
2013-04-01 10:40:02    Component rkdisk.dll version 1.5.30.0
2013-04-01 10:40:02    Version info:    Product version    2.3
2013-04-01 10:40:02    Version info:    Detection engine    3.41.0
2013-04-01 10:40:02    Version info:    Detection data    4.87
2013-04-01 10:40:02    Version info:    Build date    3/13/2013
2013-04-01 10:40:02    Version info:    Data files added    388
2013-04-01 10:40:02    Version info:    Last successful update    (not yet updated)
2013-04-01 10:40:24    Update progress: proxy server not available
2013-04-01 10:40:39    Update error: failed to read remote metadata (error 4)
Cannot locate server for http://dci.sophosupd.com/update/d/7b/d7bc878cbef01957fbd66b6e8992d505.xml

2013-04-01 10:40:59    Scan completed.
2013-04-01 10:40:59    

------------------------------------------------------------

2013-04-01 10:41:02    Sophos Virus Removal Tool version 2.3
2013-04-01 10:41:02    Copyright © 2009-2012 Sophos Limited. All rights reserved.

2013-04-01 10:41:02    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2013-04-01 10:41:02    Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
2013-04-01 10:41:02    Checking for updates...
2013-04-01 10:41:08    Option all = no
2013-04-01 10:41:08    Option recurse = yes
2013-04-01 10:41:08    Option archive = no
2013-04-01 10:41:08    Option service = yes
2013-04-01 10:41:08    Option confirm = yes
2013-04-01 10:41:08    Option sxl = yes
2013-04-01 10:41:08    Option max-data-age = 35
2013-04-01 10:41:08    Component SVRTcli.exe version 2.3
2013-04-01 10:41:08    Component control.dll version 2.3
2013-04-01 10:41:08    Component SVRTservice.exe version 2.3
2013-04-01 10:41:08    Component engine\osdp.dll version 1.44.0.2060
2013-04-01 10:41:08    Component engine\veex.dll version 3.41.0.2060
2013-04-01 10:41:08    Component engine\savi.dll version 7.5.11.2060
2013-04-01 10:41:08    Component rkdisk.dll version 1.5.30.0
2013-04-01 10:41:08    Version info:    Product version    2.3
2013-04-01 10:41:08    Version info:    Detection engine    3.41.0
2013-04-01 10:41:08    Version info:    Detection data    4.87
2013-04-01 10:41:08    Version info:    Build date    3/13/2013
2013-04-01 10:41:08    Version info:    Data files added    388
2013-04-01 10:41:08    Version info:    Last successful update    (not yet updated)
2013-04-01 10:41:14    Update progress: proxy server not available
2013-04-01 10:41:38    Downloading updates...
2013-04-01 10:41:38    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2013-04-01 10:41:38    Update progress: [I49502] Found supplement SAVIW32 LATEST 4
2013-04-01 10:41:38    Update progress: [I49502] Found supplement IDE488 LATEST
2013-04-01 10:41:38    Update progress: [I49502] Found supplement IDE489 LATEST
2013-04-01 10:41:38    Update progress: [I49502] Found supplement IDE490 LATEST
2013-04-01 10:41:38    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2013-04-01 10:41:38    Update progress: [I19463] Syncing product SAVIW32 25
2013-04-01 10:41:42    Update progress: [I19463] Syncing product IDE488 180
2013-04-01 10:41:43    Installing updates...
2013-04-01 10:41:43    Update progress: [I19463] Syncing product IDE489 210
2013-04-01 10:41:43    Update progress: [I19463] Syncing product IDE490 1
2013-04-01 10:41:55    Update successful
2013-04-01 10:42:03    Option all = no
2013-04-01 10:42:03    Option recurse = yes
2013-04-01 10:42:03    Option archive = no
2013-04-01 10:42:03    Option service = yes
2013-04-01 10:42:03    Option confirm = yes
2013-04-01 10:42:03    Option sxl = yes
2013-04-01 10:42:03    Option max-data-age = 35
2013-04-01 10:42:03    Component SVRTcli.exe version 2.3
2013-04-01 10:42:03    Component control.dll version 2.3
2013-04-01 10:42:03    Component SVRTservice.exe version 2.3
2013-04-01 10:42:03    Component engine\osdp.dll version 1.44.0.2060
2013-04-01 10:42:03    Component engine\veex.dll version 3.41.0.2060
2013-04-01 10:42:03    Component engine\savi.dll version 7.5.11.2060
2013-04-01 10:42:03    Component rkdisk.dll version 1.5.30.0
2013-04-01 10:42:03    Version info:    Product version    2.3
2013-04-01 10:42:03    Version info:    Detection engine    3.41.0
2013-04-01 10:42:03    Version info:    Detection data    4.87G
2013-04-01 10:42:03    Version info:    Build date    3/13/2013
2013-04-01 10:42:03    Version info:    Data files added    388
2013-04-01 10:42:03    Version info:    Last successful update    4/1/2013 10:41:55 AM

2013-04-01 11:13:44    >>> Virus 'Mal/FakeAvCn-A' found in file C:\Documents and Settings\All Users\Application Data\uq77KYvSaP0xeY
2013-04-01 11:13:44    >>> Virus 'Mal/FakeAvCn-A' found in file HKU\S-1-5-21-3003466951-3774543392-1737223591-1006\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-04-01 11:13:44    >>> Virus 'Mal/FakeAvCn-A' found in file HKU\S-1-5-21-3003466951-3774543392-1737223591-1006\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypess
2013-04-01 12:34:57    Could not open C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2013-04-01 12:34:57    Could not open C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2013-04-01 12:38:50    The following items will be cleaned up:
2013-04-01 12:38:50    Mal/FakeAvCn-A
2013-04-01 12:41:23    Threat 'Mal/FakeAvCn-A' has been cleaned up.
2013-04-01 12:41:23    File "C:\Documents and Settings\All Users\Application Data\uq77KYvSaP0xeY" belongs to malware 'Mal/FakeAvCn-A'.
2013-04-01 12:41:23    File "C:\Documents and Settings\All Users\Application Data\uq77KYvSaP0xeY" has been cleaned up.
2013-04-01 12:41:23    Registry value "HKU\S-1-5-21-3003466951-3774543392-1737223591-1006\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" belongs to malware 'Mal/FakeAvCn-A'.
2013-04-01 12:41:23    Registry value "HKU\S-1-5-21-3003466951-3774543392-1737223591-1006\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" has been cleaned up.
2013-04-01 12:41:23    Registry value "HKU\S-1-5-21-3003466951-3774543392-1737223591-1006\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypess" belongs to malware 'Mal/FakeAvCn-A'.
2013-04-01 12:41:23    Registry value "HKU\S-1-5-21-3003466951-3774543392-1737223591-1006\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypess" has been cleaned up.
2013-04-01 12:41:23    Removal successful
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users