FakeAlert Damage

ken545 · Jul 8, 2011

Still with us ?

secWEL · Jul 10, 2011

Hello ken545

Sorry I was waiting for an email to tell me you had replied, it will not happen againg I will check the thread frequently.

I have had trouble with running your "fix" code; yestarday I ranit twice and each there was two copies of the report text displayed on reboot and the computer was locked up. I have tried twice today and was successful with the seconde attempt.

Here is the report:

All processes killed
========== PROCESSES ==========
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-329068152-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "ALOT Search" removed from browser.search.selectedEngine
Prefs.js: "http://search.alot.com/web?&src_id=11031&client_id=ba146d35986fdc88e6195cb8&camp_id=38&install_time=2009-08-11T13:33:28Z&tb_version=2.4.11000%28F%29&pr=auto&q=" removed from keyword.URL
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\WEL\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\WEL\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : home
IP Address. . . . . . . . . . . . : 192.168.1.64
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
C:\Documents and Settings\WEL\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\WEL\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\WEL\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\WEL\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.AMD2-3A4FB6A446
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.AMD2-3A4FB6A446.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: NetworkService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: WEL
->Temp folder emptied: 219913 bytes
->Temporary Internet Files folder emptied: 241585 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 9209259 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 810 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82403 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 9.00 mb

OTL by OldTimer - Version 3.2.25.0 log created on 07102011_114406

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_cd8.dat not found!
C:\Documents and Settings\WEL\Local Settings\Temp\WCESLog.log moved successfully.

Registry entries deleted on Reboot...

END OF REPORT.

The computer is very slow and the icons that we retrieved earlier are dimmed,
but they do run OK. I cannot find many programs using Win Exploerer or Run/Start, but can run them by opening appropriate text files e.g. opening a photograph file starts the photo editor.

Once again, many thanks for your help.

secWEL

ken545 · Jul 10, 2011

Lets see if this finds anything

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

secWEL · Jul 10, 2011

Hello ken545

Sorry, when I try to run aswMBR.exe I get a messge saying it is not a valid Win32 file. I cannot access the Command Prompt to run it as a DOS file.

How shall I proceed?

Thanks
secWEL

ken545 · Jul 10, 2011

Lets try this instead

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

secWEL · Jul 11, 2011

Hello ken545

Here is GMER log.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-11 12:37:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0 MAXTOR_S rev.3.AA
Running: gmer.exe; Driver: C:\DOCUME~1\WEL\LOCALS~1\Temp\pfdiypob.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB7E51210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7E51224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7E51250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7E512A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB7E511FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7E511D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7E511E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB7E5123A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB7E5127C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7E51266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7E512D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7E512BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7E51290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B7E51294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B7E512AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B7E512C0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B7E51280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B7E511D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B7E511EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B7E512D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B7E5126A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B7E5123E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B7E51214 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B7E51228 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B7E51254 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B7E51200 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB633F3A0, 0x88C445, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00970000
.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00970011
.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00970FDB
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00960000
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00960F7E
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00960073
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00960062
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00960FA5
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00960036
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00960F57
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0096009F
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009600F0
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009600CB
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00960F3C
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00960047
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00960011
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0096008E
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00960FCA
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00960FE5
.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009600BA
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01590FDB
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01590073
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0159002C
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0159001B
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01590FB6
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01590000
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01590062
.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01590047
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01570F7C
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!system 77C293C7 5 Bytes JMP 01570F8D
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01570FCD
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01570FEF
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01570FB2
.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01570FDE
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00980000
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00980FE5
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00980FD4
.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00980FC3
.text C:\WINDOWS\Explorer.EXE[632] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\services.exe[1152] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1152] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[1152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0004002F
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F55
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F7C
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0004001E
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040093
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040078
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F04
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F15
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040EE9
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040F97
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0004005B
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FB2
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FCD
.text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F30
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770F9B
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FCA
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770062
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00770051
.text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770040
.text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070031
.text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB0
.text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FD2
.text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FC1
.text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FE3
.text C:\WINDOWS\system32\services.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[1164] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1164] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\lsass.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40093
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40082
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40FA8
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E4005B
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E4002F
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F70
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F8D
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F29
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40F44
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E40F0E
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E4004A
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E400B8
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40FC3
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F55
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012F0F9E
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012F0F4D
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012F0FB9
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012F0FCA
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012F0014
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012F0FE5
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 012F0F68
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4F, 89]
.text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012F0F8D
.text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012E004C
.text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 012E0FC1
.text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012E0FD2
.text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012E0FEF
.text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012E0027
.text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012E000C
.text C:\WINDOWS\system32\lsass.exe[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AB0FC3
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB0FD4
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0F8A
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0089
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA006E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0051
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F6D
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA00B5
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA0106
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA00EB
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0117
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0036
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA00A4
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0FC0
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00DA
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0036
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE006C
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE0025
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0FAF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AE0FCA
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CE, 88]
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0051
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD0FC8
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0053
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD002E
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FE3
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD001D
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F5C
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F6D
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40F8A
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40FAF
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40082
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F3A
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A400C9
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A400B8
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A400DA
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F4B
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A4009D
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9004A
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90014
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90F8D
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FA8
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B9002F
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A7002A
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70F9F
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FC1
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FB0
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FD2
.text C:\WINDOWS\system32\svchost.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01AE0000
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01AE0FDB
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01AE0011
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01AD0FEF
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01AD0F64
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01AD0F75
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01AD0F90
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01AD004D
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01AD0FBC
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01AD0F18
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01AD006A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01AD0ED1
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01AD0EE2
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01AD0EB6
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01AD0FA1
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01AD0014
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01AD0F49
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01AD0FCD
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01AD0FDE
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01AD0EFD
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 028D0036
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 028D006C
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 028D001B
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 028D000A
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 028D005B
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 028D0FEF
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 028D0FB9
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AD, 8A]
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 028D0FCA
.text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0264004E
.text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 0264003D
.text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02640018
.text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02640FEF
.text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02640FCD
.text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02640FDE
.text C:\WINDOWS\System32\svchost.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022D0000
.text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01AF000A
.text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01AF0FEF
.text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01AF0025
.text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 01AF0036
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A70FDB
.text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60076
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A6005B
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A6004A
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60F8D
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A60039
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A60098
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A60F5C
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A60F24
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A60F3F
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A600E2
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A60FA8
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A60FE5
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A60087
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60FC3
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A60FD4
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A600B3
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006C
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930051
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC6
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FAB
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\SearchIndexer.exe[2552] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00F21B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 34420FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 34420FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 34420000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 34410FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 34410093
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 34410078
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 34410F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 3441005B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 34410039
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 344100CB
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 34410F83
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 34410F4D
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 34410F68
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 34410F32
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 3441004A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 34410FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 344100A4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 34410FCD
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 34410014
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 344100E6
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 343F0FB7
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!system 77C293C7 5 Bytes JMP 343F0FC8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 343F0027
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 343F0000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 343F0042
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 343F0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 34400FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 34400F94
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 34400025
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 3440000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 34400051
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 34400FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 34400FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [60, BC]
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 34400036
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 343E0000
.text C:\WINDOWS\system32\svchost.exe[3700] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[3700] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[3700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F6F
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F8A
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0058
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0047
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0095
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F4D
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F21
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F32
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00D5
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F5E
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00B0
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0062
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FA4
.text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FB5
.text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FD7
.text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FC6
.text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0011

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume12 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume9 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume10 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume11 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft@TechLevel 0xED 0x38 0x55 0x6A ...
Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\LastSetupCommand@
Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\Rename\File20@ C:\Documents and Settings\WEL\Application Data\Real\Update\UpgradeHelper\RealPlayer\8.01\pnup1.exe|rnupgagent.exe
Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\UpgClasses@
Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\UpgComps@
Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\UpgProds@

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\WEL\Local Settings\Temporary Internet Files\Content.IE5\T7OHR148\extended[1].xml 133 bytes

---- EOF - GMER 1.0.15 ----

Thanks
secWEL

ken545 · Jul 11, 2011

No rootkit Infection

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the

button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on
  
  to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the
  
  icon on your desktop.
Check
Click the

button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push

, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the

button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

secWEL · Jul 12, 2011

Hello ken545

Not having any success in running the ESET online scanner. I tried with Firefox but got a message that "esetsmartinstaller_enu.exe" is not a valid Win32 application.

Switched to IE8 and tried several times to run from your link, but each time it either hung after the "Accept terms" button was pressed. It loaded the onlins scanner pop-up and then either hung or closed IE.

Today I have tried running the scanner directly from the ESET site. The result was much the same, although on one occassion I did see the "Click here to download onlinescanner.cab", but always the program hung or closed IE.

When it hung I had to use Task Master to close the program.

On all attempts I had stopped McAfee and MalwareBytes.

Sorry I do not know what to try next and am feeling completely useless

Looking forward to your advice again.

Thanks

secWEL

ken545 · Jul 12, 2011

Try one of these, just need one to run. Online virus scanners act differently on each system, one they run fine and the next it wont run, go figure

Trendmicro Housecall
BitDefender Online Scanner
Mcafee Online Scan

secWEL · Jul 13, 2011

Hello ken545

I have run the House Call scan (it looked only at the C: drive) and it reported "no infections". I am having problems with the others , but will try again later.

How is it that we can run programs (from icons or by opening previosly created files) but they are not listed by "Win Explorer", "All Programs", "Add or Remove" or "Run/Browse"? They are presumably hidden, but were not revealed by the "Unhide" we ran.

What fun these computers are!

Thanks

secWEL

ken545 · Jul 13, 2011

No need to run the other scans, if Housecall says no threats found then thats fine.

Not all programs you install will be in add remove or All Programs, depends on the type of programs like the online virus scanners and the scanners we used to check your system will not be listed .

How are things running now, any browser redirects or unwanted pop up windows?

secWEL · Jul 13, 2011

Hello

Thanks. I will abandon the other scans.

Current position is:
a) computer is slower than usual.
b) I cannot access various programs that were accessible via "All Programs" and/or "WinExplore" before FakeAlert visited (includes my password manager!).
c) Icons associated with some of the "before" programs are dim, but still work. The icons for the "after" programs are bright as usual.

Do you think it's time to bite the bullet and reinstall everything? Setting up new passwords will be a real pain, but if needs must..

I look forward to your comments.

Again, thank you for your interest and help.

secWEL

ken545 · Jul 13, 2011

Lets try this quick scan

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

secWEL · Jul 14, 2011

f

Hello

The scan found no infections. The report text:

2011/07/14 11:26:46.0328 3840 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/14 11:26:46.0640 3840 ================================================================================
2011/07/14 11:26:46.0640 3840 SystemInfo:
2011/07/14 11:26:46.0640 3840
2011/07/14 11:26:46.0640 3840 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/14 11:26:46.0640 3840 Product type: Workstation
2011/07/14 11:26:46.0656 3840 ComputerName: AMD2-3A4FB6A446
2011/07/14 11:26:46.0656 3840 UserName: WEL
2011/07/14 11:26:46.0656 3840 Windows directory: C:\WINDOWS
2011/07/14 11:26:46.0656 3840 System windows directory: C:\WINDOWS
2011/07/14 11:26:46.0656 3840 Processor architecture: Intel x86
2011/07/14 11:26:46.0656 3840 Number of processors: 2
2011/07/14 11:26:46.0656 3840 Page size: 0x1000
2011/07/14 11:26:46.0656 3840 Boot type: Normal boot
2011/07/14 11:26:46.0656 3840 ================================================================================
2011/07/14 11:26:54.0984 3840 Initialize success
2011/07/14 11:32:29.0609 4724 ================================================================================
2011/07/14 11:32:29.0609 4724 Scan started
2011/07/14 11:32:29.0609 4724 Mode: Manual;
2011/07/14 11:32:29.0609 4724 ================================================================================
2011/07/14 11:32:30.0765 4724 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/14 11:32:30.0812 4724 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/14 11:32:30.0890 4724 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/14 11:32:30.0953 4724 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2011/07/14 11:32:31.0062 4724 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/14 11:32:31.0484 4724 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/14 11:32:31.0515 4724 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/14 11:32:31.0578 4724 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/14 11:32:31.0671 4724 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/14 11:32:31.0812 4724 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/07/14 11:32:31.0937 4724 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/14 11:32:32.0156 4724 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/14 11:32:32.0203 4724 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/14 11:32:32.0328 4724 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/14 11:32:32.0390 4724 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/14 11:32:32.0453 4724 cdrbsdrv (248349293ca42ee5db61dc1fd85a2f49) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2011/07/14 11:32:32.0562 4724 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/14 11:32:32.0609 4724 cfwids (7fd604cd7a7a0ff8975af61bdf64c577) C:\WINDOWS\system32\drivers\cfwids.sys
2011/07/14 11:32:32.0781 4724 cmpci (e5842ccf0953d3d46d5e26427b67e901) C:\WINDOWS\system32\drivers\cmaudio.sys
2011/07/14 11:32:33.0140 4724 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/14 11:32:33.0218 4724 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/14 11:32:33.0281 4724 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/14 11:32:33.0296 4724 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/14 11:32:33.0343 4724 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/14 11:32:33.0421 4724 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/14 11:32:33.0500 4724 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/14 11:32:33.0562 4724 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/14 11:32:33.0640 4724 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/14 11:32:33.0671 4724 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/14 11:32:33.0765 4724 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/14 11:32:33.0828 4724 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/14 11:32:33.0859 4724 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/14 11:32:33.0890 4724 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/07/14 11:32:33.0953 4724 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/07/14 11:32:34.0359 4724 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/14 11:32:34.0656 4724 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/14 11:32:35.0015 4724 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/14 11:32:35.0281 4724 hotcore3 (4bab16afc2b0029e09c67daa8ec722a2) C:\WINDOWS\system32\drivers\hotcore3.sys
2011/07/14 11:32:35.0343 4724 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/14 11:32:35.0468 4724 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/14 11:32:35.0546 4724 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/14 11:32:35.0734 4724 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/14 11:32:35.0796 4724 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/14 11:32:35.0843 4724 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/14 11:32:35.0875 4724 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/14 11:32:35.0921 4724 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/14 11:32:35.0968 4724 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/14 11:32:36.0031 4724 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/07/14 11:32:36.0156 4724 iviVD (73778be4af895e27a55c648f0d287312) C:\WINDOWS\system32\DRIVERS\iviVD.sys
2011/07/14 11:32:36.0203 4724 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/14 11:32:36.0250 4724 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/14 11:32:36.0312 4724 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/14 11:32:36.0375 4724 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/14 11:32:36.0421 4724 L8042mou (d6fc755ff505d99e6cc73e83492310df) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/07/14 11:32:36.0562 4724 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/07/14 11:32:36.0687 4724 LHidKe (eaed22460dad9ccd9c9a58c78e717497) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2011/07/14 11:32:36.0796 4724 LHidUsbK (f99fddb71da6a66ee2ebcc49f5bfadbb) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
2011/07/14 11:32:36.0984 4724 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/07/14 11:32:37.0109 4724 LMouKE (c149bdad13194df16ea33f9f601ed7bf) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/07/14 11:32:37.0234 4724 LUsbFilt (144011d14bd35f4e36136ae057b1aadd) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2011/07/14 11:32:37.0359 4724 LUsbKbd (d707e03cebc1a19dd920366bb8a6a640) C:\WINDOWS\system32\Drivers\LUsbKbd.Sys
2011/07/14 11:32:37.0609 4724 LVUVC (6c42815dd57e397f0cd988304b5eb4b3) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/07/14 11:32:37.0890 4724 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys
2011/07/14 11:32:37.0968 4724 mfeapfk (113445fc6a858ef453cded5b0a0df665) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/07/14 11:32:37.0984 4724 mfeavfk (dbf6e1b388d5c070d438c61adb990c30) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/07/14 11:32:38.0109 4724 mfebopk (a528b15e330edb83ea649be318d841d5) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/07/14 11:32:38.0156 4724 mfefirek (c7da1b8003c89acedaa13768f7a1c622) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/07/14 11:32:38.0296 4724 mfehidk (5e9679bb2fc4fa38ec8ca906c47acd46) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/07/14 11:32:38.0359 4724 mfendisk (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/07/14 11:32:38.0453 4724 mfendiskmp (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/07/14 11:32:38.0546 4724 mferkdet (ce1711f7c3f72f6762abd241dcfd5ee1) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/07/14 11:32:38.0671 4724 mfetdi2k (25e12c68b49a64ffc873603dfd578236) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/07/14 11:32:38.0796 4724 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/14 11:32:38.0875 4724 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/14 11:32:38.0937 4724 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/14 11:32:38.0984 4724 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/14 11:32:39.0062 4724 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/14 11:32:39.0156 4724 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/07/14 11:32:39.0296 4724 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/07/14 11:32:39.0468 4724 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/14 11:32:39.0515 4724 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/14 11:32:39.0546 4724 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/14 11:32:39.0593 4724 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/14 11:32:39.0640 4724 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/14 11:32:39.0703 4724 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/14 11:32:39.0828 4724 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/14 11:32:39.0875 4724 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/14 11:32:39.0937 4724 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/14 11:32:39.0984 4724 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/14 11:32:40.0078 4724 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/14 11:32:40.0125 4724 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/14 11:32:40.0156 4724 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/14 11:32:40.0187 4724 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/14 11:32:40.0218 4724 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/14 11:32:40.0281 4724 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/14 11:32:40.0390 4724 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/14 11:32:40.0421 4724 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/14 11:32:40.0515 4724 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/14 11:32:40.0546 4724 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/14 11:32:40.0593 4724 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/14 11:32:40.0953 4724 nv (8b2c874897ea498da012284e12f9db2b) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/14 11:32:41.0437 4724 nvata (947c4a0e7b25bcecc3b40f0f1070378b) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/07/14 11:32:41.0484 4724 nvgts (52dce3b30c9d61c8e20fe3c6da4bdfb7) C:\WINDOWS\system32\DRIVERS\nvgts.sys
2011/07/14 11:32:41.0531 4724 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/14 11:32:41.0578 4724 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/14 11:32:41.0671 4724 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/14 11:32:41.0734 4724 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/14 11:32:41.0796 4724 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/14 11:32:41.0812 4724 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/14 11:32:41.0906 4724 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/14 11:32:41.0953 4724 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/14 11:32:42.0171 4724 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/14 11:32:42.0234 4724 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/14 11:32:42.0296 4724 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/14 11:32:42.0343 4724 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/14 11:32:42.0390 4724 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/14 11:32:42.0562 4724 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/14 11:32:42.0640 4724 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/14 11:32:42.0656 4724 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/14 11:32:42.0734 4724 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/14 11:32:42.0781 4724 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/14 11:32:42.0812 4724 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/14 11:32:42.0859 4724 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/14 11:32:42.0921 4724 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/14 11:32:42.0984 4724 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/14 11:32:43.0078 4724 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/07/14 11:32:43.0203 4724 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/07/14 11:32:43.0250 4724 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/14 11:32:43.0343 4724 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/14 11:32:43.0390 4724 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/14 11:32:43.0453 4724 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/14 11:32:43.0546 4724 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/14 11:32:43.0640 4724 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/14 11:32:43.0812 4724 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/14 11:32:43.0890 4724 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/14 11:32:43.0953 4724 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/14 11:32:44.0015 4724 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/14 11:32:44.0046 4724 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/14 11:32:44.0156 4724 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/14 11:32:44.0234 4724 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/14 11:32:44.0312 4724 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/14 11:32:44.0359 4724 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/14 11:32:44.0406 4724 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/14 11:32:44.0500 4724 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/14 11:32:44.0578 4724 UimBus (e3cfd4fce555784869a9243a71efcb22) C:\WINDOWS\system32\DRIVERS\UimBus.sys
2011/07/14 11:32:44.0671 4724 Uim_IM (5237bb4b8390325936a38b55d72c23b4) C:\WINDOWS\system32\Drivers\Uim_IM.sys
2011/07/14 11:32:44.0843 4724 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/14 11:32:44.0921 4724 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/14 11:32:45.0218 4724 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/07/14 11:32:45.0281 4724 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/14 11:32:45.0343 4724 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/14 11:32:45.0375 4724 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/14 11:32:45.0406 4724 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/07/14 11:32:45.0437 4724 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/14 11:32:45.0500 4724 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/14 11:32:45.0546 4724 USBSNXSTOR (ec6397ef52080f1ad636df3d8e2ebe29) C:\WINDOWS\system32\DRIVERS\Usbsnx2k.SYS
2011/07/14 11:32:45.0687 4724 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/14 11:32:45.0750 4724 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/14 11:32:45.0781 4724 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/07/14 11:32:45.0890 4724 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/14 11:32:45.0968 4724 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/14 11:32:46.0046 4724 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/14 11:32:46.0093 4724 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/07/14 11:32:46.0265 4724 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/14 11:32:46.0375 4724 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/07/14 11:32:46.0421 4724 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/14 11:32:46.0515 4724 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/14 11:32:46.0546 4724 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/14 11:32:46.0593 4724 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/14 11:32:46.0718 4724 MBR (0x1B8) (bd58f6a1fe22e7d1550df0c62ade9830) \Device\Harddisk1\DR1
2011/07/14 11:32:46.0968 4724 MBR (0x1B8) (8ff255184f078c9c04e6a2ce66117c5c) \Device\Harddisk2\DR13
2011/07/14 11:32:46.0984 4724 Boot (0x1200) (3dadafad81db6e2222574ae25839efb8) \Device\Harddisk0\DR0\Partition0
2011/07/14 11:32:47.0015 4724 Boot (0x1200) (f15bd1e8c609a1396c25efb745e2864c) \Device\Harddisk0\DR0\Partition1
2011/07/14 11:32:47.0031 4724 Boot (0x1200) (0b3274c68810a23fa8c14b3b9b189373) \Device\Harddisk1\DR1\Partition0
2011/07/14 11:32:47.0046 4724 Boot (0x1200) (616089e4188ca5f4c953600d74584f02) \Device\Harddisk1\DR1\Partition1
2011/07/14 11:32:47.0046 4724 Boot (0x1200) (72d57d9a51034c78e46b0c7ac743bc68) \Device\Harddisk1\DR1\Partition2
2011/07/14 11:32:47.0062 4724 Boot (0x1200) (d06b414010a4767708a01274b6d066bb) \Device\Harddisk1\DR1\Partition3
2011/07/14 11:32:47.0078 4724 Boot (0x1200) (62b6726c684c48a90205dd24108836bc) \Device\Harddisk1\DR1\Partition4
2011/07/14 11:32:47.0078 4724 Boot (0x1200) (ea82a9fb44b6c135bd1e4380ba155414) \Device\Harddisk1\DR1\Partition5
2011/07/14 11:32:47.0093 4724 Boot (0x1200) (faf775768c23b93ac48e29eab1cffef8) \Device\Harddisk1\DR1\Partition6
2011/07/14 11:32:47.0109 4724 Boot (0x1200) (d9af543480082164286dfcb87cffdc61) \Device\Harddisk1\DR1\Partition7
2011/07/14 11:32:47.0109 4724 Boot (0x1200) (0aacdc8067d4e2310cc52fa255f707e5) \Device\Harddisk1\DR1\Partition8
2011/07/14 11:32:47.0125 4724 Boot (0x1200) (5c4d7bc7806a9c484dd66bae80683e56) \Device\Harddisk2\DR13\Partition0
2011/07/14 11:32:47.0140 4724 ================================================================================
2011/07/14 11:32:47.0140 4724 Scan finished
2011/07/14 11:32:47.0140 4724 ================================================================================
2011/07/14 11:32:47.0140 2120 Detected object count: 0
2011/07/14 11:32:47.0140 2120 Actual detected object count: 0

END OF REPORT

I ran the scan twice because I could not find the log of the first run.
The result was the same - no infection.

I suppose the problem now is to find and repair all the damage done by FakeAlert. What would have happened if I paid them? Probably another event and demand for cash in the near future.

Thanks again.

secWEL

ken545 · Jul 14, 2011

The greater percentage of this garbage comes from the uKraine, where there are actually gangs of cyber criminals, these dirt bags make a lot of money duping clueless people into taking the bait. If you would have purchased the program, first off it would not have changed things, you would still be infected, by there rogue program, nothing else, second you would have given your credit card number and whatever else they asked for to Cyber Criminals. :sad:

Looks like there is no rootkit , thats good :bigthumb:

Why dont you post here in this windows forum and let them help you sort out those problems, we just do malware removal on this one, but all us forums work together so link them to this thread so they can see what we have done and if they feel its not windows related and still malware we can dig deeper if need be.

Like Safer its free but you will need to register
http://forums.whatthetech.com/index.php?showforum=119

Ken

secWEL · Jul 14, 2011

Hello Ken

I am trying the "Tech".

Thank you for all your time and help. I would like to learn to work with you, but at 80 I am a bit long in the tooth.

Be lucky.

Thank you.

Bill Lewis
secWEL

ken545 · Jul 14, 2011

Hello Bill,

Thank you for all your time and help. I would like to learn to work with you, but at 80 I am a bit long in the tooth.

:laugh:

Well, I am 72 myself, been at this for almost 10 years, been in computing since windows 3.1, malware knows no age boundaries

Good luck on the tech forum, I will keep this open for you for about a week in case you need to come back, if its closed just start a new topic

secWEL · Jul 17, 2011

Hello Ken

jimbo1 at the "Tech" suggested I try another unhide and it worked. All programs now appear in all lists, my password manager is back and all icons are bright. Magic!

I am truly grateful for your help and will make a donation to the funds (circumstances mean it will be modest and by no means an assessment of value received).

I need to make changes in my computer setup and will certainly try to tighten security.

Perhaps circumstances wil allow me to take the training so that I can try to help you folks.

Fight the good fight and be lucky!

With many thanks

Bill Lewis
secWEL:thanks:

ken545 · Jul 17, 2011

Thats great Bill, glad to hear all is well :bigthumb:

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

Malwarebytes is the free version and yours to keep and will not be removed

Keeping your Java updated is very important to the security of your system, info here on how to update
http://forums.spybot.info/showpost.php?p=12880&postcount=2

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Safe Surfn
Ken

secWEL · Jul 18, 2011

Hello Ken

Thanks for your further help. I will put all of your recommendatios into practice.

Be lucky

Bill

FakeAlert Damage

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member