View Full Version : Can't fix items with Spybot
linziejoe
2009-09-23, 21:08
I have run Malwarebytes, and it removed some rootkits. Computer froze during Spybot update and now I get the BSOD when running Spybot. Also running SpywareGuard. Here's my HJT log. Thanks in advance for your help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:16:51, on 9/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Lindsay Hudson\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 windows-shield.microsoft.com
O1 - Hosts: 91.212.127.226 windows-shield.com
O1 - Hosts: 91.212.127.226 www.windows-shield.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151536003\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - https://www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184004392343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
--
End of file - 10869 bytes
Hi linziejoe
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
linziejoe
2009-10-02, 23:55
Thanks for your help Shaba, I really appreciate it! Computer is running awfully slowly now and I know there's gotta be something here that I can't fix without Spybot.
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-02 15:47:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\kwldapog.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEF4B04EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEF4B0581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEF4B0498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEF4B04AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEF4B0595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEF4B05C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEF4B062F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEF4B0619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEF4B052A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEF4B065B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEF4B056D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEF4B0470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEF4B0484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEF4B04FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEF4B0697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEF4B0603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEF4B05ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEF4B05AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEF4B0683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEF4B066F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEF4B04D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEF4B04C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEF4B05D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEF4B0559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEF4B0645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEF4B0540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEF4B0514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EF4B0518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP EF4B0571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP EF4B05F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EF4B04EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP EF4B04C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP EF4B0585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP EF4B069B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP EF4B0633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP EF4B0474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EF4B0502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP EF4B05DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EF4B0544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EF4B052E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EF4B04B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EF4B055D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP EF4B0488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP EF4B065F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP EF4B061D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP EF4B05C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP EF4B0599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EF4B049C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP EF4B04DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP EF4B0649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP EF4B0607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP EF4B05AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP EF4B0673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP EF4B0687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F81
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F92
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B9006C
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B9005B
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B900A2
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90091
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900D8
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F35
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900E9
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90036
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F66
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B900BD
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80047
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B8008E
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80FD1
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B80073
.text C:\WINDOWS\system32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80062
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FC8
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FE3
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7002E
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70049
.text C:\WINDOWS\system32\svchost.exe[372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070080
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F8B
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700B8
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700A7
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700EE
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700DD
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700FF
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F7A
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F5F
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060087
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006006C
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050055
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FCA
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050033
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050044
.text C:\WINDOWS\system32\services.exe[716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F6B
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F7C
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80F8D
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800A0
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80085
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F22
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C800BB
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800D6
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F5A
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FC0
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80011
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F3D
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C7005B
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70F94
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\lsass.exe[728] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60F81
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FA6
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FE3
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60FB7
.text C:\WINDOWS\system32\lsass.exe[728] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\lsass.exe[728] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40073
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40058
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40047
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F4009F
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F4008E
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F32
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400CB
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F400E6
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40025
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40F6D
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40F9E
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400BA
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30051
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30040
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30F9E
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20FD2
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2005D
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20038
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F2000C
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20FE3
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F2001D
.text C:\WINDOWS\system32\svchost.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F52
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0047
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0F6D
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0F8A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0036
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD0F13
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0F24
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD0EF8
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0091
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD0EDD
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0FA5
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD0FDB
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0F41
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD0076
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC002F
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0087
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC0014
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0FDE
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0076
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CC005B
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC004A
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0038
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0FAD
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FBE
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0FE3
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0000
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027B000A
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027B0F7C
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027B0F8D
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027B0071
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027B0FA8
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027B0FCD
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027B0F55
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027B009D
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027B00D3
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027B0F3A
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027B00EE
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027B004A
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027B0FEF
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027B008C
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027B0039
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027B0FDE
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027B00B8
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027A0FC3
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027A0F72
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027A0014
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027A0FDE
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027A0F8D
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027A0FEF
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 027A002F
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027A0FA8
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02790F9C
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 02790FB7
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02790FD2
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02790000
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02790027
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02790FE3
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02780000
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 02770000
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 02770FE5
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 02770011
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 02770022
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F79
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650078
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0065005B
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0065002F
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500BA
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F68
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650F32
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F4D
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650F17
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650093
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650014
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006500CB
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640040
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640FCA
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640025
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640014
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640087
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0064006C
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640051
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630058
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FC3
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630022
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630033
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00630011
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660082
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F83
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F94
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660F5C
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006600A4
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F23
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600C6
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006600D7
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00660093
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006600B5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650062
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00650047
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0065002C
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640F8B
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640FA6
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FD2
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FB7
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0064000C
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AE0084
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AE0073
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AE0F99
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AE0FB6
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AE0033
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AE0F63
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AE0F74
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AE00E1
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AE0F48
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AE0F2D
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AE0058
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AE0FE5
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AE0095
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AE0022
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AE0011
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AE00C6
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AD0FDB
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AD0062
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AD002C
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AD0011
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AD0047
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AD0FA5
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CD, 88] {INT 0x88}
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AD0FC0
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AC0038
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AC0027
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AC0FD2
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AC0FB7
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AC0FE3
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB006C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0047
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F6B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00B3
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00D8
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F49
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00E9
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F7C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FDB
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F5A
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660036
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660F8A
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660011
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660FA5
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660047
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650F9A
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FAB
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FC6
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FD7
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 0063001B
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00630FCA
.text C:\WINDOWS\system32\svchost.exe[1596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0089
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005B
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F57
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F68
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00CB
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F32
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E6
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F79
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0025
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[2928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00B0
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290028
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F8D
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FCD
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FDE
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290054
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290039
.text C:\WINDOWS\Explorer.EXE[2928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB2
.text C:\WINDOWS\Explorer.EXE[2928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\Explorer.EXE[2928] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[2928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[2928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\Explorer.EXE[2928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\Explorer.EXE[2928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[2928] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[2928] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[2928] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 002C0014
.text C:\WINDOWS\Explorer.EXE[2928] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\Explorer.EXE[2928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0FEF
linziejoe
2009-10-02, 23:56
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Services - GMER 1.0.15 ----
Service system32\drivers\kbiwkmnayvrded.sys (*** hidden *** ) [SYSTEM] kbiwkmmemtkdbo <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo@imagepath \systemroot\system32\drivers\kbiwkmnayvrded.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main@aid 20029
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmnayvrded.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmrfqlnbeq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmapogcxcw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmkckgqspu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\modules@kbiwkm.dat \systemroot\system32\kbiwkmtdbbmnuc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmemtkdbo\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmtlmxxyaq.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo@imagepath \systemroot\system32\drivers\kbiwkmnayvrded.sys
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main@aid 20029
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmnayvrded.sys
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmrfqlnbeq.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmapogcxcw.dat
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmkckgqspu.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\modules@kbiwkm.dat \systemroot\system32\kbiwkmtdbbmnuc.dat
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmmemtkdbo\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmtlmxxyaq.dll
---- EOF - GMER 1.0.15 ----
We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
linziejoe
2009-10-04, 19:37
ComboFix 09-10-01.05 - Lindsay 10/03/2009 12:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.168 [GMT -5:00]
Running from: c:\documents and settings\Lindsay\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_kbiwkmmemtkdbo
-------\Service_kbiwkmmemtkdbo
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.
2009-10-03 04:34 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 05:42 . 2009-09-24 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-24 05:42 . 2009-09-24 05:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 17:47 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 17:47 . 2009-09-22 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 17:47 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-22 17:46 . 2009-09-24 05:40 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-09-22 17:45 . 2009-09-22 17:45 4045528 ----a-w- c:\program files\mbam-setup.exe
2009-09-19 08:04 . 2009-09-20 18:12 -------- d-----w- c:\program files\yjimsp
2009-09-09 22:44 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 17:42 . 2008-05-02 03:10 -------- d-----w- c:\documents and settings\Lindsay Hudson\Application Data\StumbleUpon
2009-09-24 17:23 . 2007-08-10 19:05 -------- d-----w- c:\program files\McAfee
2009-09-24 15:27 . 2007-08-10 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-23 18:12 . 2008-03-13 01:41 -------- d-----w- c:\program files\SpywareGuard
2009-09-10 08:12 . 2008-08-12 05:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-31 22:56 . 2009-08-31 05:44 -------- d-----w- c:\program files\ejeptc
2009-08-18 02:18 . 2009-08-18 02:18 -------- d-----w- c:\program files\ERUNT
2009-08-18 02:03 . 2009-08-17 13:01 -------- d-----w- c:\program files\kbehbj
2009-08-17 23:59 . 2009-08-17 23:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:42 . 2009-07-17 05:12 256 ----a-w- c:\windows\system32\pool.bin
2009-07-17 16:24 . 2004-06-09 19:27 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys
2009-07-17 06:41 . 2009-07-17 06:41 15487679 ----a-w- c:\program files\WinDesktop_41_T600.exe
2009-07-17 06:13 . 2004-11-29 04:58 161000 -c--a-w- c:\documents and settings\Lindsay Hudson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 05:42 . 2009-07-17 05:41 83980048 ----a-w- c:\program files\470_b059_english_nomediamanager.exe
2009-07-16 17:32 . 2007-08-10 19:06 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 04:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2007-08-10 19:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2007-08-10 19:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2007-08-10 19:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2007-08-10 19:14 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2007-08-10 19:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-05-02 04:33 . 2009-05-02 04:33 2040451 ----a-w- c:\program files\SetupImgBurn_2.4.4.0.exe
2008-10-02 01:34 . 2007-08-15 02:40 13413048 ----a-w- c:\program files\GoogleEarthWin.exe
2008-09-22 05:13 . 2008-09-22 05:13 47089717 ----a-w- c:\program files\iPodSetup 2005-11-17.zip
2008-09-22 05:04 . 2008-09-22 05:04 420632 ----a-w- c:\program files\ipodwizard-v1.3-release.zip
2008-08-01 00:12 . 2008-08-01 00:11 44526 ----a-w- c:\program files\iehv.zip
2008-06-13 01:58 . 2008-06-13 01:58 6895008 ----a-w- c:\program files\PokerStarsInstallPM.exe
2008-05-02 02:55 . 2008-05-02 02:54 501992 ----a-w- c:\program files\StumbleUpon.exe
2008-04-14 01:17 . 2008-04-14 01:17 536811 ----a-w- c:\program files\ie-spyad.exe
2008-03-14 18:09 . 2008-03-14 18:09 2062665 ----a-w- c:\program files\spywareguardsetup.exe
2008-03-14 18:08 . 2008-03-14 18:08 5154304 ----a-w- c:\program files\WindowsDefender.msi
2008-03-14 18:06 . 2008-03-14 18:05 2671816 ----a-w- c:\program files\spywareblastersetup40.exe
2008-03-14 00:40 . 2008-03-14 00:40 382352 ----a-w- c:\program files\jdk-6u5-windows-i586-p-iftw.exe
2007-12-22 02:34 . 2005-03-08 02:40 54330664 ----a-w- c:\program files\iTunesSetup.exe
2007-08-03 22:57 . 2007-08-03 22:57 12695868 ----a-w- c:\program files\ML-2010.exe
2007-06-15 01:39 . 2007-06-15 01:39 18149584 ----a-w- c:\program files\aaw2007.exe
2007-05-26 14:54 . 2007-05-26 14:53 1159948 ----a-w- c:\program files\pdf200.exe
2007-05-26 14:45 . 2007-05-26 14:45 3111537 ----a-w- c:\program files\image2pdf.zip
2007-05-23 02:21 . 2007-05-23 02:21 116736 ----a-w- c:\program files\bentonville qualifier form.doc
2007-05-22 05:17 . 2007-05-22 05:01 21822168 ----a-w- c:\program files\AdbeRdr80_en_US.exe
2007-05-22 05:01 . 2007-05-22 05:01 66672 ----a-w- c:\program files\sgc10.exe
2006-07-12 03:41 . 2006-07-12 03:40 59310760 ----a-w- c:\program files\iPodSetup.exe
2006-06-12 17:17 . 2006-06-12 17:17 947213 ----a-w- c:\program files\Gd30.zip
2006-06-10 18:19 . 2006-06-10 18:19 53247590 ----a-w- c:\program files\zootycoon_ESTP.zip
2006-06-08 22:18 . 2006-06-08 22:18 12527920 ----a-w- c:\program files\IE7BETA2-WindowsXP-x86-enu.exe
2006-06-08 22:10 . 2006-06-08 22:10 2104224 ----a-w- c:\program files\Windows-KB890830-V1.16.exe
2005-08-24 01:02 . 2005-08-24 01:02 10958640 ----a-w- c:\program files\GoogleEarth.exe
2005-03-24 04:05 . 2005-03-24 04:05 5110063 -c--a-w- c:\program files\1stpage2.zip
2005-03-09 15:23 . 2005-03-09 15:23 877056 ----a-w- c:\program files\iview395.exe
2004-08-04 11:00 . 2004-08-04 11:00 94784 -csh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2004-08-04 11:00 50688 --sh--w- c:\windows\twain_32.dll
2004-12-24 06:31 . 2004-12-24 06:31 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
2008-04-14 00:11 . 2004-08-04 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 11:00 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2004-08-04 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 11:00 84992 --sha-w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2004-08-04 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-04 196608]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-19 615696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Lindsay Hudson\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Handspring\Hotsync.exe [2004-6-9 471040]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\SYSTEM32\DRIVERS\hphius09.sys [1/21/2008 9:32 PM 18864]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/11/2008 2:46 PM 27904]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-10 02:26]
2009-09-28 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-10 02:26]
2009-10-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
2009-10-04 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-09-24 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {413D6754-BFD4-47FE-9346-319559290BFA} - hxxps://www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
HKLM-Run-HostManager - c:\program files\Common Files\AOL\1151536003\ee\AOLSoftware.exe
MSConfigStartUp-CTFMON - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 10:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcupdmgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcods.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\hphipm09.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\windows\SYSTEM32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2009-10-04 10:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 15:57
Pre-Run: 4,604,690,432 bytes free
Post-Run: 5,311,545,344 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
246 --- E O F --- 2009-10-03 04:34
linziejoe
2009-10-04, 19:39
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:51 AM, on 10/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Lindsay\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - https://www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184004392343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
--
End of file - 10642 bytes
Do you recognize this folder?
c:\program files\yjimsp
linziejoe
2009-10-05, 20:45
No, I don't. It appears to be empty.
If so, then you can delete it.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
linziejoe
2009-10-06, 04:29
Kaspersky didn't find anything.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, October 5, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, October 05, 2009 23:25:10
Records in database: 2918829
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Objects scanned: 96752
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:09:57
No threats found. Scanned area is clean.
Selected area has been scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:05 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Documents and Settings\Lindsay Hudson\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - https://www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184004392343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe
--
End of file - 11187 bytes
linziejoe
2009-10-08, 23:04
No more malware problems....I still haven't tried reinstalling Spybot for fear of another BSOD. Computer is still slow, so I guess I'm heading over to bleepingcomputer to figure out how to speed up this beast! :) Thank you for your help,
So we check this:
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)
This thread has been closed due to inactivity.
If you still require help, please start a new topic and include a fresh HijackThis log with a link to your previous thread.
Please do not add any logs that might have been requested previously, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start your own topic.